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Abstract 


The United States of America has adopted a suite of Secure Hash 
Algorithms (SHAs), including four beyond SHA-1, as part of a Federal 
Information Processing Standard (FIPS), namely SHA-224, SHA-256, 
SHA-384, and SHA-512. This document makes open source code 
performing these SHA hash functions conveniently available to the 
Internet community. The sample code supports input strings of 
arbitrary bit length. Much of the text herein was adapted by the 
authors from FIPS 180-2. 


This document replaces RFC 4634, fixing errata and adding code for an 
HMAC-based extract-and-expand Key Derivation Function, HKDF (RFC 
5869). As with RFC 4634, code to perform SHA-based Hashed Message 
Authentication Codes (HMACs) is also included. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Not all documents 


approved by the IESG are a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 


and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc6234. 
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Copyright Notice 


Copyright (c) 2011 IETF Trust and the persons identified as the 
document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(http://trustee.ietf.org/license-info) in effect on the date of 
publication of this document. Please review these documents 
carefully, as they describe your rights and restrictions with respect 
to this document. Code Components extracted from this document must 
include Simplified BSD License text as described in Section 4.e of 
the Trust Legal Provisions and are provided without warranty as 
described in the Simplified BSD License. 
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Overview of Contents 


This document includes specifications for the United States of 
America (USA) Federal Information Processing Standard (FIPS) Secure 
Hash Algorithms (SHAs), code to implement the SHAs, code to implement 
HMAC (Hashed Message Authentication Code, [RFC2104]) based on the 
SHAs, and code to implement HKDF (HMAC-based Key Derivation Function, 
[RFC5869]) based on HMAC. Specifications for HMAC and HKDF are not 
included as they appear elsewhere in the RFC series [RFC2104] 
[RFC5869]. 


NOTE: Much of the text below is taken from [SHS], and the assertions 
of the security of the hash algorithms described therein are made by 
the US Government, the author of [SHS], not by the listed authors of 
this document. See also [RFC6194] concerning the security of SHA-1. 


The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874], 
SHA-256, SHA-384, and SHA-512, for computing a condensed 
representation of a message or a data file. (SHA-1 is specified in 
[RFC3174].) When a message of any length « 2^64 bits (for SHA-224 and 
SHA-256) or « 2^128 bits (for SHA-384 and SHA-512) is input to one of 
these algorithms, the result is an output called a message digest. 
The message digests range in length from 224 to 512 bits, depending 
on the algorithm. Secure Hash Algorithms are typically used with 
other cryptographic algorithms, such as digital signature algorithms 
and keyed-hash authentication codes, the generation of random numbers 
[RFC4086], or in key derivation functions. 


The algorithms specified in this document are called secure because 
it is computationally infeasible to (1) find a message that 
corresponds to a given message digest, or (2) find two different 
messages that produce the same message digest. Any change to a 
message in transit will, with very high probability, result in a 
different message digest. This will result in a verification failure 
when the Secure Hash Algorithm is used with a digital signature 
algorithm or a keyed-hash message authentication algorithm. 


The code provided herein supports input strings of arbitrary bit 
length.  SHA-1's sample code from [RFC3174] has also been updated to 
handle input strings of arbitrary bit length. Permission is granted 
for all uses, commercial and non-commercial, of this code. 


This document obsoletes [RFC4634], and the changes from that RFC are 
summarized in the Appendix. 
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ASN.1 OIDs (Object Identifiers) for the SHA algorithms, taken from 
[RFC4055], are as follows: 


id-shal OBJECT IDENTIFIER ::- { iso(1) 
identified-organization(3) oiw(14) 
secsig(3) algorithms(2) 26 ] 
id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t (2 
country(16) us(840) organization(1 
csor(3) nistalgorithm(4) hashalgs ( 
id-sha256 OBJECT IDENTIFIER ::- { joint-iso-itu-t (2) 
country(16) us(840) organization(1) gov(101) 
csor(3) nistalgorithm(4) hashalgs(2) 1 } 
id-sha384 OBJECT IDENTIFIER ::- (| joint-iso-itu-t (2) 
country(16) us(840) organization(1) gov(101) 
csor(3) nistalgorithm(4) hashalgs(2) 2 } 
id-sha512 OBJECT IDENTIFIER  ::- { joint-iso-itu-t (2) 
country(16) us(840) organization(1) gov(101) 
csor(3) nistalgorithm(4) hashalgs(2) 3 } 


) 
) ( 
2) 4 ) 


Section 2 below defines the terminology and functions used as 
building blocks to form these algorithms. Section 3 describes the 
fundamental operations on words from which these algorithms are 
built. Section 4 describes how messages are padded up to an integral 
multiple of the required block size and then parsed into blocks. 
Section 5 defines the constants and the composite functions used to 
specify the hash algorithms. Section 6 gives the actual 
specification for the SHA-224, SHA-256, SHA-384, and SHA-512 
functions. Section 7 provides pointers to the specification of HMAC 
keyed message authentication codes and to the specification of an 
extract-and-expand key derivation function based on HMAC. 


Section 8 gives sample code for the SHA algorithms, for SHA-based 
HMACs, and for HMAC-based extract-and-expand key derivation function. 


Notation for Bit Strings and Integers 


The following terminology related to bit strings and integers will be 
used: 

a. A hex digit is an element of the set (0, 1, ... , 9, А, ... , FJ). 
A hex digit is the representation of a 4-bit string. Examples: 7 
= 0111, A = 1010. 


b. A word equals a 32-bit or 64-bit string that may be represented 
as a sequence of 8 or 16 hex digits, respectively. To convert a 
word to hex digits, each 4-bit string is converted to its hex 
equivalent as described in (a) above. Example: 
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З 


1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23. 


Throughout this document, the "рід-епдіап" convention is used when 
expressing both 32-bit and 64-bit words, so that within each word 
the most significant bit is shown in the leftmost bit position. 


c. An integer may be represented as a word or pair of words. 


An integer between 0 and 2^32 - 1 inclusive may be represented as 
a 32-bit word. The least significant four bits of the integer are 
represented by the rightmost hex digit of the word representation. 
Example: the integer 291 = 2^8+2^5+2^1+2^0 = 256+32+2+1 is 
represented by the hex word 00000123. 


The same holds true for an integer between 0 and 2^64-1 inclusive, 
which may be represented as a 64-bit word. 


If Z is an integer, 0 <= z « 2^64, then z = (2^32)x + y where 

0 <= х < 2232 апа 0 <= y < 2732. Since x and y can be represented 
as words X and Y, respectively, z can be represented as the pair 
of words (X,Y). 


Again, the "big-endian" convention is used and the most 
significant word is in the leftmost word position for values 
represented by multiple-words. 


d. block = 512-bit or 1024-bit string. A block (e.g., B) may be 
represented as a sequence of 32-bit or 64-bit words. 


Operations on Words 


The following logical operators will be applied to words in all four 
hash operations specified herein.  SHA-224 and SHA-256 operate on 
32-bit words while SHA-384 and SHA-512 operate on 64-bit words. 


In the operations below, x««n is obtained as follows: discard the 
leftmost n bits of x and then pad the result with n zeroed bits on 
the right (the result will still be the same number of bits). 
Similarly, x>>n is obtained as follows: discard the rightmost n bits 
of x and then prepend the result with n zeroed bits on the left (the 
result will still be the same number of bits). 


Bitwise logical word operations 


X AND Y 


bitwise logical "and" of Х and Y. 


X OR Y 


bitwise logical "inclusive-or" of X and Y. 
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X XOR Y = bitwise logical "exclusive-or" of X and Y. 


т 
О 
H 
ж 
ll 


bitwise logical "complement" of X. 


01101100101110011101001001111011 
XOR 01100101110000010110100110110111 


= 00001001011110001011101111001100 
b. The operation X + Y is defined as follows: words X and Y represent 
w-bit integers x and y, where 0 <= x « 2^w and 0 <= y « 2^w. For 
positive integers n and m, let 
n mod m 
be the remainder upon dividing n by m. Compute 
z = (x + y) mod 2^vw. 


Then 0 <= 2 < 2^w. Convert z to a word, Z, and define Z = X + У. 


с. The right shift operation SHR^n(x), where x is a w-bit word and n 
is an integer with 0 <= п < м, is defined by 


SHR^n (x) = x>>n 
d. The rotate right (circular right shift) operation ROTR^n(x), where 
x is a w-bit word and n is an integer with 0 <= n < м, is defined 
by 


ROTR^n(x) = (x»»n) OR (x««(w-n)) 


e. The rotate left (circular left shift) operation ROTL^n(x), where x 
is a w-bit word and n is an integer with 0 <= п < м, is defined by 


ROTL^n(X) = (x<<n) OR (x»»(w-n)) 


Note the following equivalence relationships, where w is fixed in 
each relationship: 


ROTL^n (x) ROTR^ (w-n) (x) 


ROTR^n(x) = ROTL^(w-n) (x) 


Eastlake & Hansen Informational [Page 7] 


RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 


4. 


4. 


Message Padding and Parsing 


The hash functions specified herein are used to compute a message 
digest for a message or data file that is provided as input. The 
message or data file should be considered to be a bit string. The 
length of the message is the number of bits in the message (the empty 
message has length 0). If the number of bits in a message is a 
multiple of 8, for compactness we can represent the message in hex. 
The purpose of message padding is to make the total length of a 
padded message a multiple of 512 for SHA-224 and SHA-256 or a 
multiple of 1024 for SHA-384 and SHA-512. 


The following specifies how this padding shall be performed. As a 
summary, a "1" followed by m "O"s followed by a 64-bit or 128-bit 
integer are appended to the end of the message to produce a padded 
message of length 512*n or 1024*n. The appended integer is the 
length of the original message. The padded message is then processed 
by the hash function as n 512-bit or 1024-bit blocks. 


1, 5НА-224 and SHA-256 


Suppose a message has length L « 2^64. Before it is input to the 
hash function, the message is padded on the right as follows: 


a. "1" is appended. Example: if the original message is "01010000", 
this is padded to "010100001". 


b. K "O"s are appended where K is the smallest, non-negative solution 
to the equation 


( L + 1+ EK) mod 512 = 448 
c. Then append the 64-bit block that is L in binary representation. 
After appending this block, the length of the message will be a 
multiple of 512 bits. 
Example: Suppose the original message is the bit string 
01100001 01100010 01100011 01100100 01100101 


After step (a) this gives 


01100001 01100010 01100011 01100100 01100101 1 
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4.2. 


Since L = 40, the number of bits in the above is 41 and K = 407 
"0"5 are appended, making the total now 448. This gives the 
following in hex: 


61626364 65800000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 


The 64-bit representation of L = 40 is hex 00000000 00000028. 
Hence the final padded message is the following hex 


61626364 65800000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000028 


SHA-384 and SHA-512 


Suppose a message has length L < 2%128. Before it is input to the 
hash function, the message is padded on the right as follows: 


a. 


"1" is appended. Example: if the original message is "01010000", 
this is padded to "010100001". 


K "O"s are appended where K is the smallest, non-negative solution 
to the equation 


( L + 1 +K) mod 1024 = 896 
Then append the 128-bit block that is L in binary representation. 
After appending this block, the length of the message will be a 
multiple of 1024 bits. 
Example: Suppose the original message is the bit string 

01100001 01100010 01100011 01100100 01100101 


After step (a) this gives 


01100001 01100010 01100011 01100100 01100101 1 
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Since L = 40, the number of bits in the above is 41 and K = 855 
"0"5 are appended, making the total now 896. This gives the 
following in hex: 


61626364 65800000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 


The 128-bit representation of L = 40 is hex 00000000 00000000 
00000000 00000028. Hence the final padded message is the 
following hex: 


61626364 65800000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000000 
00000000 00000000 00000000 00000028 


5. Functions and Constants Used 


The following subsections give the six logical functions and the 
table of constants used in each of the hash functions. 


5.1.  SHA-224 and SHA-256 
SHA-224 and SHA-256 use six logical functions, where each function 


operates on 32-bit words, which are represented as x, y, and z. The 
result of each function is a new 32-bit word. 


CH( x, y, Z) = (x AND y) XOR ( (NOT x) AND z) 

MAJ( X, y, Z) = (x AND y) XOR (x AND z) XOR (y AND z) 
BSIGO(x) = ROTR^2(x) XOR ROTR^13(x) XOR ROTR^22(x) 
BSIG1 (х) = ROTR^6(x) XOR КОТК^11 (х) XOR ROTR^25 (x) 
SSIGO(x) = ROTR^7(x) XOR ROTR^18(x) XOR SHR^3 (x) 
SSIG1 (x) = КОТК^17 (х) XOR КОТК^19 (х) ХОК SHR^10(x) 
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SHA-224 and SHA-256 use the same sequence of sixty-four constant 


32-bit words, KO, Kl, ..., K63. These words represent the first 32 
bits of the fractional parts of the cube roots of the first sixty- 
four prime numbers. In hex, these constant words are as follows 


(from left to right): 


428а2Ғ98 71374491 Б5с0ҒосЕ e9b5dba5 
3956c25b 59f111f1 923f82a4 ablc5ed5 
d807aa98 12835501 243185be 550c7dc3 
72be5d74 80deblfe 9bdc06a7 c19bf174 
е49рб9с1 efbe4786 Ofcl19dc6 240calcc 
2de92c6f 4a7484aa 5cb0a9dc 76f988da 
983е5152 a831c66d 500327с8 bf597fc7 
c6e00bf3 d5a79147 06са6351 14292967 
27р70а85 2е1р2138 442с64Ёс 53380413 
650a7354 766a0abb 81c2c92e 92722c85 
a2bfe8al a81a664b c24b8b70 c76c51a3 
d192e819 d6990624 £40e3585 106aa070 
19а4с116 1e376c08 2748774с 34b0bcb5 
391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3 
748f82ee 78a5636f 84c87814 8сс70208 
90befffa a4506ceb bef9a3f7 c67178f2 


5.2.  SHA-384 and SHA-512 


SHA-384 and SHA-512 each use six logical functions, where each 
function operates on 64-bit words, which are represented as x, y, and 


z. The result of each function is a new 64-bit word. 
CH( x, y, Z) = (x AND y) XOR ( (NOT x) AND z) 
MAJ( X, y, Z) = (x AND y) XOR (x AND z) XOR (y AND z) 
BSIGO(x) = ROTR^28(x) ХОК ROTR^34 (x) XOR ROTR^39 (x) 
BSIG1 (х) = КОТК^14 (х) ХОК ROTR^18(x) XOR ROTR^41 (x) 
SSIGO (x) = ROTR^l(x) ХОК ROTR^8(x) XOR SHR^7 (x) 
SSIG1 (x) = КОТК^19 (х) ХОК ROTR^61(x) XOR SHR^6 (x) 


SHA-384 and SHA-512 use the same sequence of eighty constant 64-bit 
words, KO, КІ, ... K79. These words represent the first 64 bits of 
the fractional parts of the cube roots of the first eighty prime 
numbers. In hex, these constant words are as follows (from left to 
right): 
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428а2Ғ98а728ае22 
3956c25bf348b538 
d807aa98a3030242 
72be5d74£275896f 
е49р69с19еҒ14аа2 
2de92c6f592b0275 
983e5152ee66dfab 
c6e00bf33da88fc2 
27р70а8546422ЁЁс 
650a73548baf63de 
a2bfe8al4cf10364 
d192e819d6ef5218 
19a4c116b8d2d0c8 
391c0cb3c5c95a63 
748£f82ee5defb2fc 
90befffa23631e28 
ca273eceea26619c 
06£067aa72176fba 
28db77£523047d84 
Acc5d4becb3e42b6 


SHAs, 


7137449123ef65cd 
59Е111Е1рБ6054019 
12835b0145706fbe 
80deb1fe3b1696b1 
efbe4786384f25e3 
4a7484aa6ea6e483 
a831c66d2db43210 
d5a79147930aa725 
2e1b21385c26c926 
766a0abb3c77b2a8 
а81а664ррс423001 
469906245565а910 
1e376c085141ab53 
4ed8aa4ae3418acb 
78a5636f£43172f60 
a4506cebde82bde9 
d18658c721c0c207 
0a637dc5a2c898a6 
32caab7b40c72493 
597£299cfc657e2a 


Computing the Message Digest 


The output of each of the secure hash functions, 
to a message of N blocks, 


SHA-256, H(i) 


н(1)1, 


H(i)7. 
be eight 64-bit words, 


H(i) 0, 


HMAC-SHAs, 


and HKDF 


b5cOfbcfec4d3b2f 
923£82a4af194f9b 
243185ре4ее4р28с 
9рас06а725с71235 
Ofcl9dc68b8cd5b5 
5cb0a9dcbd41fbd4 
b00327c898fb213F 
06ca6351e003826£f 
4d2c6dfc5ac42aed 
81c2c92e47edaee6 
c24b8b70d0f89791 
£40e35855771202a 
2748774cdf8eeb99 
5р9сса4#7763е373 
84c87814a1f0ab72 
ре#9а3#762с67915 
eada7dd6cde0eble 
113f9804bef90dae 
3c9ebe0a15c9bebc 
5fcb6fab3ad6faec 


is the hash quantity H(N). 
can be considered to be eight 32-bit words, 
For SHA-384 and SHA-512, 
EGET, c; 


it can 
H(i)7. 


May 2011 


e9b5dba58189dbbc 
abic5ed5da6d8118 
550c7dc3d5ffb4e2 
cl9bf174cf692694 
240calcc77ac9c65 
76£988da831153b5 
bf597fc7beef0ee4 
142929670a0e6e70 
53380d139d95b3df 
92722c851482353b 
c76c51a30654be30 
106aa07032bbd1b8 
34b0bcb5e19b48a8 
682e6ff3d6b2b8a3 
8cc702081a6439ec 
c67178£2e372532b 
f57dAf7fee6ed178 
1р710р35131с471р 
431d67c49c100d4c 
6c44198c4a475817 


after being applied 
For SHA-224 and 


H(1)0, 
be considered to 


As described below, the hash words are initialized, modified as each 

message block is processed, and finally concatenated after processing 

the last block to yield the output. For SHA-256 and SHA-512, all of 

the H(N) variables are concatenated while the SHA-224 and SHA-384 

hashes are produced by omitting some from the final concatenation. 
6.1. SHA-224 and SHA-256 Initialization 
For SHA-224, the initial hash value, 
32-bit words in hex: 


H(0), consists of the following 


= c1059ed8 
= 367cd507 
= 3070dd17 
= £70e5939 
= ЇЁс00Ю31 
= 68581511 
= 64f98fa7 
= befa4fa4 


D СР иь к Ин эг (иг od 

оссоооооо 

ч суль су Мо 
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For SHA-256, the initial hash value, H(0), consists of the following 
eight 32-bit words, in hex. These words were obtained by taking the 
first 32 bits of the fractional parts of the square roots of the 
first eight prime numbers. 


= 6a09e667 
= bb67ae85 
= 3c6ef372 
ab4ff53a 
= 510e527f 
= 9b05688c 
= 1#83а9ар 
= 5be0cd19 


co 
осососоооооос 
чо л о Мо 
ll 


6.2. SHA-224 and SHA-256 Processing 


SHA-224 and SHA-256 perform identical processing on message blocks 
and differ only in how H(0) is initialized and how they produce their 
final output. They may be used to hash a message, M, having a length 
of L bits, where 0 <= L < 2764. The algorithm uses (1) a message 
schedule of sixty-four 32-bit words, (2) eight working variables of 
32 bits each, and (3) a hash value of eight 32-bit words. 


The words of the message schedule are labeled WO, W1, ..., W63. The 
eight working variables are labeled a, b, c, d, e, f, g, and h. The 
words of the hash value are labeled Н(1)0, H(i)1, ..., H(i)7, which 


will hold the initial hash value, H(0), replaced by each successive 
intermediate hash value (after each message block is processed), 
H(i), and ending with the final hash value, H(N), after all N blocks 
are processed. They also use two temporary words, Tl and T2. 


The input message is padded as described in Section 4.1 above, then 
parsed into 512-bit blocks that are considered to be composed of 
Sixteen 32-bit words М(1)0, М(1)1, ..., M(i)15. The following 
computations are then performed for each of the N message blocks. 
All addition is performed modulo 2^32. 


For i = 1 to N 


1. Prepare the message schedule W: 
For t = 0 to 15 
Wt M(i)t 
For t 16 to 63 
Wt = SSIG1(W(t-2)) + W(t-7) + SSIGO(w(t-15)) + W(t-16) 
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2. Initialize the working variables: 


a = H(i-1)0 
b = H(i-1)1 
c = H(i-1)2 
d = H(i-1)3 
e = H(i-1)4 
f = H(i-1)5 
g = H(i-1)6 
h = H(i-1)7 


3. Perform the main hash computation: 
For t = 0 to 63 

ТІ = h + BSIGI(e) + CH(e,f,g) + Kt + Wt 

BSIGO(a) + MAJ(a,b,c) 


T2 = 

һ = 9 

9 = Ё 

Е-е 

е = а + T1 
а= с 

с = р 

р = а 

a e Tl Е T2 


4. Compute the intermediate hash value H(i) 
= + H(i-1)0 


чо Ол нь 0 М 

\ 
тан ос ош 
++++ + ++ 

r 


After the above computations have been sequentially performed for all 
of the blocks in the message, the final output is calculated. For 
5НА-256, this is the concatenation of all of Н(М)0, H(N)1, through 
H(N) 7. For SHA-224, this is the concatenation of Н(М)0, H(N)1, 
through H(N) 6. 


6.3. 5НА-384 апа SHA-512 Initialization 


For SHA-384, the initial hash value, H(0), consists of the following 
eight 64-bit words, in hex. These words were obtained by taking the 
first 64 bits of the fractional parts of the square roots of the 
ninth through sixteenth prime numbers. 
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= cbbb9d5dc1059ed8 
= 629a292a367cd507 
= 9159015a3070dd17 
152fecd8f70e5939 
= 67332667ffc00b31 
= 8eb44a8768581511 
= db0c2e0d64f98fa7 
= 47b5481ldbefa4fa4 


осососоооооо 
чо лмо МО 
ll 


———————— 


For SHA-512, the initial hash value, H(0), consists of the following 
eight 64-bit words, in hex. These words were obtained by taking the 
first 64 bits of the fractional parts of the square roots of the 
first eight prime numbers. 


= ба09е667Е3рсс908 
= pb67ae8584caa73b 
— 3c6ef372fe94f82b 
a54ff53a5fl1d36f1 
= 510e527fade682d1 
= 9b05688c2b3e6c1f 
= 1f83d9abfb4lbd6b 
= 5be0cd19137e2179 


осососооооосо 
чо олло Мн oO 
ll 


G 
——————— 


6.4, 5НА-384 and SHA-512 Processing 


SHA-384 and SHA-512 perform identical processing on message blocks 
and differ only in how H(0) is initialized and how they produce their 
final output. They may be used to hash a message, M, having a length 
of L bits, where 0 <= L < 27128. The algorithm uses (1) a message 
schedule of eighty 64-bit words, (2) eight working variables of 64 
bits each, and (3) a hash value of eight 64-bit words. 


The words of the message schedule are labeled WO, W1, ..., W79. The 
eight working variables are labeled a, b, c, d, e, f, g, and h. The 
words of the hash value are labeled Н(1)0, Н(1)1, ..., H(i)7, which 


will hold the initial hash value, H(0), replaced by each successive 
intermediate hash value (after each message block is processed), 
H(i), and ending with the final hash value, H(N) after all N blocks 
are processed. 


The input message is padded as described in Section 4.2 above, then 
parsed into 1024-bit blocks that are considered to be composed of 
sixteen 64-bit words М(1)0, М(1)1, ..., M(i)15. The following 
computations are then performed for each of the N message blocks. 
All addition is performed modulo 2^64. 
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For i = 1 to М 


1. Prepare the message schedule W: 
For t = 0 to 15 
Wt = M(i)t 
For t = 16 to 79 
Wt = SSIG1(W(t-2)) + W(t-7) + SSIGO(W(t-15)) + W(t-16) 


2. Initialize the working variables: 
= H(i-1)0 


сон оо 0 0 
ll 


3. Perform the main hash computation: 
For t = 0 to 79 
Tl = h + BSIG1 (е) + CH(e,f,g) + Kt + Wt 
Т2 = BSIGO(a) + МАЈ (a,b,c) 


h=g 
g=f 

Е-е 

e = а + T1 
а-с 

с- р 
b=a 

а - Т1 - T2 


4. Compute the intermediate hash value H(i) 


Н(1)0 = a + H(i-1)0 
H(i)l = b + H(i-1)1 
H(i)2 = c + H(i-1)2 
H(i)3 = d + H(i-1)3 
H(i)4 = e + H(i-1)4 
H(i)5 = £ + H(i-1)5 
H(i)6 = g + H(i-1)6 
H(i)7 = h + H(i-1)7 


After the above computations have been sequentially performed for all 
of the blocks in the message, the final output is calculated. For 
SHA-512, this is the concatenation of all of Н(М)0, H(N)1, through 
H(N)7. For SHA-384, this is the concatenation of Н(М)0, Н(М)1, 
through H(N)5. 


Eastlake & Hansen Informational [Page 16] 


RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 


7.  HKDF- and SHA-Based HMACs 


Below are brief descriptions and pointers to more complete 
descriptions and code for (1) SHA-based HMACs and (2) an HMAC-based 
extract-and-expand key derivation function. Both HKDF and HMAC were 
devised by Hugo Krawczyk. 


duds SHA-Based HMACs 


HMAC is a method for computing a keyed MAC (Message Authentication 
Code) using a hash function as described in [RFC2104]. It uses a key 
to mix in with the input text to produce the final hash. 


Sample code is also provided, in Section 8.3 below, to perform HMAC 
based on any of the SHA algorithms described herein. The sample code 
found in [RFC2104] was written in terms of a specified text size. 
Since SHA is defined in terms of an arbitrary number of bits, the 
sample HMAC code has been written to allow the text input to HMAC to 
have an arbitrary number of octets and bits. A fixed-length 
interface is also provided. 


7.2. | HKDF 


HKDF is a specific Key Derivation Function (KDF), that is, a function 
of initial keying material from which the KDF derives one or more 
cryptographically strong secret keys.  HKDF, which is described in 
[RFC5869], is based on HMAC. 


Sample code for HKDF is provided in Section 8.4 below. 
8. C Code for SHAs, HMAC, and HKDF 


Below is a demonstration implementation of these secure hash 
functions in C. Section 8.1 contains the header file sha.h that 
declares all constants, structures, and functions used by the SHA and 
HMAC functions. It includes conditionals based on the state of 
definition of USE 32BIT ONLY that, if that symbol is defined at 
compile time, avoids 64-bit operations. It also contains sha- 
private.h that provides some declarations common to all the SHA 
functions. Section 8.2 contains the C code for shal.c, sha224-256.c, 
sha384-512.c, and usha.c. Section 8.3 contains the C code for the 
HMAC functions, and Section 8.4 contains the C code for HKDF. 

Section 8.5 contains a test driver to exercise the code. 


For each of the digest lengths $$$, there is the following set of 
constants, a structure, and functions: 
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Constants: 
SHASSSHashSize number of octets in the hash 
SHASSSHashSizeBits number of bits in the hash 
5НА555 Message Block Size 
number of octets used in the intermediate 
message blocks 
Most functions return an enum value that is one of: 


shaSuccess (0) on success 

shaNull.(1) when presented with a null pointer parameter 
shaInputTooLong(2) when the input data is too long 
shaStateError (3) when SHAS$$$Input is called after 


SHASSSFinalBits or SHASS$S$Result 


Structure: 
typedef SHASSSContext 
an opaque structure holding the complete state 


for producing the hash 


Functions: 
int SHASSSReset (SHASSSContext *context) ; 
Reset the hash context state. 
int SHASSSInput (SHASSSContext *context, const uint8 t *octets, 
unsigned int bytecount); 
Incorporate bytecount octets into the hash. 
int SHAS$$$FinalBits(SHA$$$Context *, const uint8 t octet, 
unsigned int bitcount); 
Incorporate bitcount bits into the hash. The bits are in 
the upper portion of the octet. SHASSSInput() cannot be 
called after this. 
int SHASSSResult (SHASSSContext *, 
uint8 t Message Digest[SHA$$S$HashSize]); 
Do the final calculations on the hash and copy the value 
into Message Digest. 


In addition, functions with the prefix USHA are provided that take a 
SHAversion value (SHASSS) to select the SHA function suite. They add 
the following constants, structure, and functions: 


Constants: 
shaBadParam(4) constant returned by USHA functions when 
presented with a bad SHAversion (5НА555) 
parameter or other illegal parameter values 
USAMaxHashSize maximum of the SHA hash sizes 
SHASSS SHAversion enumeration values, used by USHA, 


HMAC, and HKDF functions to select the SHA 
function suite 
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Structure: 
typedef USHAContext 
an opaque structure holding the complete state 
for producing the hash 


Functions: 
int USHAReset (USHAContext *context, SHAversion whichSha) ; 
Reset the hash context state. 
int USHAInput (USHAContext context*, 
const uint8 t *bytes, unsigned int bytecount) ; 
Incorporate bytecount octets into the hash. 
int USHAFinalBits (USHAContext *context, 
const uint8 t bits, unsigned int bitcount); 
Incorporate bitcount bits into the hash. 
int USHAResult (USHAContext *context, 
uint8 t Message Digest[USHAMaxHashSize]l); 
Do the final calculations on the hash and copy the value 
into Message Digest.  Octets in Message Digest beyond 
USHAHashSize(whichSha) are left untouched. 
int USHAHashSize(enum SHAversion whichSha); 
The number of octets in the given hash. 
int USHAHashSizeBits (enum SHAversion whichSha); 
The number of bits in the given hash. 
int USHABlockSize(enum SHAversion whichSha) ; 
The internal block size for the given hash. 
const char *USHAHashName (enum SHAversion whichSha); 
This function will return the name of the given SHA 
algorithm as a string. 


The HMAC functions follow the same pattern to allow any length of 
text input to be used. 


Structure: 
typedef HMACContext an opaque structure holding the complete state 
for producing the keyed message digest (MAC) 


Functions: 
int hmacReset (HMACContext *ctx, enum SHAversion whichSha, 
const unsigned char *key, int key len); 
Reset the MAC context state. 
int hmacInput (HMACContext *ctx, const unsigned char *text, 
int text len); 
Incorporate text len octets into the MAC. 
int hmacFinalBits (HMACContext *ctx, const uint8 t bits, 
unsigned int bitcount); 
Incorporate bitcount bits into the MAC. 
int hmacResult (HMACContext *ctx, 
uint8 t Message Digest[USHAMaxHashSize]l); 
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Do the final calculations on the MAC and copy the value into 
Message_Digest. Octets in Message_Digest beyond 
USHAHashSize(whichSha) are left untouched. 


In addition, a combined interface is provided, similar to that shown 
in [RFC2104], that allows a fixed-length text input to be used. 


int hmac(SHAversion whichSha, 
const unsigned char *text, int text_len, 
const unsigned char *key, int key_len, 
uint8 t Message Digest[USHAMaxHashSize]l); 
Calculate the given digest for the given text and key, and 
return the resulting MAC. Octets in Message Digest beyond 
USHAHashSize(whichSha) are left untouched. 


The HKDF functions follow the same pattern to allow any length of 
text input to be used. 


Structure: 
typedef HKDFContext an opaque structure holding the complete state 
for producing the keying material 
Functions: 
int hkdfReset (HKDFContext *context, enum SHAversion whichSha, 
const unsigned char *salt, int salt len) 
Reset the key derivation state and initialize it with the 
salt len octets of the optional salt. 
int hkdfInput (HKDFContext *context, const unsigned char *ikm, 
int ikm len) 
Incorporate ikm len octets into the entropy extractor. 
int hkdfFinalBits (HKDFContext *context, uint8 t ikm bits, 
unsigned int ikm bit count) 
Incorporate ikm bit count bits into the entropy extractor. 
int hkdfResult (HKDFContext *context, 
uint8 t prk[USHAMaxHashSize], 
const unsigned char *info, int info len, 
uint8 t okm[ ], int okm len) 
Finish the HKDF extraction and perform the final HKDF 
expansion, storing the okm len octets into output keying 
material (okm). Optionally store the pseudo-random key 
(prk) that is generated internally. 


In addition, combined interfaces are provided, similar to that shown 
in [RFC5869], that allows a fixed-length text input to be used. 


int hkdfExtract (SHAversion whichSha, 
const unsigned char *salt, int salt_len, 
const unsigned char *ikm, int ikm_len, 
uint8_t prk[USHAMaxHashSize] ) 
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Perform HKDF extraction, combining the salt_len octets of 
the optional salt with the ikm_len octets of the input 
keying material (ikm) to form the pseudo-random key prk. 
The output prk must be large enough to hold the octets 
appropriate for the given hash type. 


int hkdfExpand(SHAversion whichSha, 
const uint8 t prk[ 1, int prk len, 
const unsigned char *info, int info len, 
uint8 t okm[ ], int okm len) 
Perform HKDF expansion, combining the prk len octets of the 
pseudo-random key prk with the info len octets of info to 
form the okm len octets stored in okm. 


int hkdf(SHAversion whichSha, 

const unsigned char *salt, int salt len, 

const unsigned char *ikm, int ikm len, 

const unsigned char *info, int info len, 

uint8 t okm[ ], int okm len) 
This combined interface performs both HKDF extraction and 
expansion. The variables are the same as in hkdfExtract () 
and hkdfExpand(). 


8.1. Тһе Header Files 
8.1.1. The .h file 


The following sha.h file, as stated in the comments within the file, 
assumes that «stdint.h» is available on your system. If it is not, 
you should change to including «stdint-example.h», provided in 
Section 8.1.2, or the like. 


[KKK KKK KK KKK KKK KKK KKK KKK ke ke ЖК К К Sha.h KOKCkCkCk ck kck ck kck ЖКЖ Ж / 
d See RFC 6234 for details. ххх Ж / 


/* 
Copyright (c) 2011 IETF Trust and the persons identified as 
authors of the code. All rights reserved. 


Redistribution and use in source and binary forms, with or 
without modification, are permitted provided that the following 
conditions are met: 


- Redistributions of source code must retain the above 


copyright notice, this list of conditions and 
the following disclaimer. 
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- Redistributions in binary form must reproduce the above 
copyright notice, this list of conditions and the following 
disclaimer in the documentation and/or other materials provided 
with the distribution. 


- Neither the name of Internet Society, IETF or IETF Trust, nor 
the names of specific contributors, may be used to endorse or 
promote products derived from this software without specific 
prior written permission. 


THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND 
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

х/ 

#ifndef SHAH. 

#define _SHA H_ 


/ 
Description: 
This file implements the Secure Hash Algorithms 
as defined in the U.S. National Institute of Standards 
and Technology Federal Information Processing Standards 
Publication (FIPS PUB) 180-3 published in October 2008 
and formerly defined in its predecessors, FIPS PUB 180-1 
and FIP PUB 180-2. 


A combined document showing all algorithms is available at 
http://csrc.nist.gov/publications/fips/ 
fips180-3/fips180-3 final.pdf 


The five hashes are defined in these sizes: 
SHA-1 20 byte 160 bit 
SHA-224 28 byte 224 bit 
SHA-256 32 byte 256 bit 
SHA-384 48 byte 384 bit 
SHA-512 64 byte 512 bit 


р М М М М. 


+ + + + + ж ж ж ж ж ж ж ж ж ж ж ж ж ж X 
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* Compilation Note: 

Е These files may be compiled with two options: 

Ж USE_32BIT_ONLY - use 32-bit arithmetic only, for systems 
* without 64-bit integers 

* 

й USE_MODIFIED_MACROS - use alternate form of the SHA_Ch() 

Ы and SHA_Maj() macros that are equivalent 
* and potentially faster on many systems 

* 

х/ 


#include «stdint.h» 
/* 
If you do not have the ISO standard stdint.h header file, then you 
* must typedef the following: 


* name meaning 

* uint64 t unsigned 64-bit integer 

хо uint32 t unsigned 32-bit integer 

хо uint8 t unsigned 8-bit integer (i.e., unsigned char) 
* int leastl16 t integer of >= 16 bits 

* 

* See stdint-example.h 

*/ 


#ifndef ЗНА enum. 
#define ЗНА enum. 


/* 
* All SHA functions return one of these values. 
*/ 
enum { 
shaSuccess = 0, 
shaNull, /* Null pointer parameter */ 
shalnputTooLong, /* input data too long */ 
shaStateError, /* called Input after FinalBits or Result */ 
shaBadParam /* passed a bad parameter */ 


у; 
#endif /* ЗНА enum */ 


/* 
* These constants hold size information for each of the SHA 
* hashing operations 
жу 
enum { 
5НА1 Message Block Size = 64, SHA224 Message Block Size = 64, 
SHA256 Message Block Size 64, SHA384 Message Block Size - 128, 
SHA512 Message Block Size - 128, 
USHA Max Message Block Size - SHA512 Message Block Size, 
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SHAlHashSize = 20, SHA224HashSize = 28, SHA256HashSize = 32, 
SHA384HashSize = 48, SHA512HashSize = 64, 

USHAMaxHashSize = SHA512HashSize, 
SHAlHashSizeBits = 160, SHA224HashSizeBits = 224, 
SHA256HashSizeBits = 256, SHA384HashSizeBits = 384, 
SHA512HashSizeBits = 512, USHAMaxHashSizeBits = SHA512HashSizeBits 
у; 
/* 
* These constants are used in the USHA (Unified SHA) functions. 
*/ 
typedef enum SHAversion { 
SHA1, SHA224, SHA256, SHA384, SHA512 


) SHAversion; 


/* 
* 
* 
ny 

typedef struct SHAlContext { 


hashing operation. 


uint32 t Intermediate Hash[SHAlHashSize/4]; 


uint32 t Length High; /* 
uint32 t Length Low; уж 
int_least16_t Message Block Index; /* 

/* 


uint8 t Message Block[SHAl1 Message Bloc 
int Computed; /* Is t 

int Corrupted; 
| SHAlContext; 


/* 
* 
* 
*/ 

typedef struct SHA256Context { 

uint32 t Intermediate Hash[SHA256HashSi 


hashing operation. 


/ * 
/ * 


uint32 t Length High; 
uint32 t Length Low; 


int leastl16 t Message Block Index; 


uint8 t Message Block[SHA256 Message Bl 
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This structure will hold context information for the SHA-1 


/* Message Digest */ 


Message 
Message 


length in bits */ 
length in bits */ 


Message Block array index */ 
512-bit message blocks */ 


k Size]; 


he hash computed? */ 


/* Cumulative corruption code */ 


This structure will hold context information for the SHA-256 


ze/4]; /* Message Digest */ 


Message length in bits */ 
Message length in bits */ 


Message Block array index */ 


512-bit message blocks */ 
ock Size]; 


[Page 24] 


RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 


int Computed; /* Is the hash computed? */ 
int Corrupted; /* Cumulative corruption code */ 
} SHA256Context; 


/* 
* This structure will hold context information for the SHA-512 
* hashing operation. 
х / 
typedef struct SHA512Context ( 
#ifdef USE_32BIT_ONLY 
uint32_t Intermediate Hash[SHA512HashSize/4]; /* Message Digest */ 
uint32 t Length[4]; /* Message length in bits */ 
felse /* !USE 32BIT ONLY */ 
uint64 t Intermediate Hash[SHA512HashSize/8]; /* Message Digest */ 
uint64 t Length High, Length Low; /* Message length in bits */ 
fendif /* USE 32BIT ONLY */ 


int leastl6 t Message Block Index;  /* Message Block array index */ 
/* 1024-bit message blocks */ 
uint8 t Message Block[SHA512 Message Block Size]; 


int Computed; /* Is the hash computed?*/ 
int Corrupted; /* Cumulative corruption code */ 
) SHA512Context; 


/* 
* This structure will hold context information for the SHA-224 
* hashing operation. It uses the SHA-256 structure for computation. 
*/ 

typedef struct SHA256Context SHA224Context; 

/* 
* This structure will hold context information for the SHA-384 
* hashing operation. It uses the SHA-512 structure for computation. 
Af 


typedef struct SHA512Context SHA384Context; 


/* 
* This structure holds context information for all SHA 
х hashing operations. 
*/ 
typedef struct USHAContext { 
int whichSha; /* which SHA is being used */ 
union { 
SHAlContext shalContext; 
SHA224Context sha224Context; SHA256Context sha256Context; 
SHA384Context sha384Context; SHA512Context sha512Context; 
) ctx; 
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| USHAContext; 


/* 
* 
* 


Жу 


This structure will hold context information for the HMAC 
keyed-hashing operation. 


typedef struct HMACContext { 


int whichSha; /* which SHA is being used */ 

int hashSize; /* hash size of SHA being used */ 
int blockSize; /* block size of SHA being used */ 
USHAContext shaContext; /* SHA context */ 


unsigned char k opad[USHA Max Message Block Size]; 

/* outer padding - key XORd with opad */ 
int Computed; /* Is the MAC computed? */ 
int Corrupted; /* Cumulative corruption code */ 


) HMACContext; 


/ * 
* 
* 


*/ 


This structure will hold context information for the HKDF 
extract-and-expand Key Derivation Functions. 


typedef struct HKDFContext { 


int whichSha; /* which SHA is being used */ 
HMACContext hmacContext; 
int hashSize; /* hash size of SHA being used */ 


unsigned char prk[USHAMaxHashSize]; 

/* pseudo-random key - output of hkdfInput */ 
int Computed; /* Is the key material computed? */ 
int Corrupted; /* Cumulative corruption code */ 


| HKDFContext; 


/ * 


* 


Ж/ 


Function Prototypes 


/* SHA-1 */ 
extern int ЅНА1Кеѕеі (ЅНА1Сопіехі *); 
extern int SHAlInput(SHAlContext *, const uint8 t *bytes, 


unsigned int bytecount); 


extern int SHAlFinalBits(SHAlContext *, uint8 t bits, 


unsigned int bit count); 


extern int SHAlResult(SHAlContext *, 
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/* SHA-224 


extern 
extern 


extern 


extern 


int 
int 


int 


int 


/* SHA-256 


extern 
extern 


extern 


extern 


int 
int 


int 


int 


/* SHA-384 


extern 
extern 


extern 


extern 


int 
int 


int 


int 


/* SHA-512 


extern 
extern 


extern 


extern 


int 
int 


int 


int 
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*/ 
SHA224Reset (SHA224Context *); 
SHA224 Input (SHA224Context *, const uint8_t *bytes, 
unsigned int bytecount); 
SHA224FinalBits (SHA224Context *, uint8 t bits, 
unsigned int bit count); 
SHA224Result(SHA224Context *, 
uint8 t Message Digest[SHA224HashSize]l); 


*/ 
SHA256Reset(SHA256Context *); 
SHA256Input(SHA256Context *, const uint8 t *bytes, 
unsigned int bytecount); 
SHA256FinalBits (SHA256Context *, uint8 t bits, 
unsigned int bit count); 
SHA256Result(SHA256Context *, 
uint8 t Message Digest[SHA256HashSize]l); 


жу. 

SHA384Reset (SHA384Context *); 

SHA384Input (SHA384Context *, const uint8_t *bytes, 
unsigned int bytecount) ; 

SHA384FinalBits (SHA384Context *, uint8_t bits, 

unsigned int bit_count); 

SHA384Result (SHA384Context *, 

uint8 t Message Digest[SHA384HashSize]l); 


*/ 

SHA512Reset (SHA512Context *); 

SHA512Input (SHA512Context *, const uint8_t *bytes, 
unsigned int bytecount); 


SHA512FinalBits(SHA512Context *, uint8 t bits, 
unsigned int bit count); 
SHA512Result (SHA512Context *, 


uint8 t Message Digest[SHA512HashSize]l); 


/* Unified SHA functions, chosen by whichSha */ 


extern 
extern 


extern 


extern 


extern 


extern 


extern 
extern 


int 
int 


int 
int 
int 


int 
int 


USHAReset (USHAContext *context, SHAversion whichSha) ; 
USHAInput (USHAContext *context, 

const uint8 t *bytes, unsigned int bytecount) ; 
USHAFinalBits (USHAContext *context, 

uint8_t bits, unsigned int bit_count); 
USHAResult (USHAContext *context, 

uint8 t Message Digest[USHAMaxHashSize]l); 
USHABlockSize(enum SHAversion whichSha); 
USHAHashSize(enum SHAversion whichSha) ; 
USHAHashSizeBits (enum SHAversion whichSha) ; 


const char *USHAHashName (enum SHAversion whichSha); 
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/* 

* HMAC Keyed-Hashing for Message Authentication, RFC 2104, 

* for all SHAs. 

* This interface allows a fixed-length text input to be used. 
*/ 


extern int hmac(SHAversion whichSha, /* which SHA algorithm to use */ 


const unsigned char *text, /* pointer to data stream */ 

int text_len, /* length of data stream */ 

const unsigned char *key, /* pointer to authentication key */ 
int key_len, /* length of authentication key */ 
uint8_t digest [USHAMaxHashSize]); /* caller digest to fill in */ 


/* 
* HMAC Keyed-Hashing for Message Authentication, RFC 2104, 
* for all SHAs. 
* This interface allows any length of text input to be used. 
*/ 
extern int hmacReset (HMACContext *context, enum SHAversion whichSha, 
const unsigned char *key, int key_len); 
extern int hmacInput (HMACContext *context, const unsigned char *text, 
int text len); 
extern int hmacFinalBits (HMACContext *context, uint8 t bits, 
unsigned int bit count); 
extern int hmacResult (HMACContext *context, 
uint8 t digest[USHAMaxHashSize]l); 


/* 
* HKDF HMAC-based Extract-and-Expand Key Derivation Function, 
* RFC 5869, for all SHAs. 
х/ 
extern int hkdf(SHAversion whichSha, const unsigned char *salt, 
int salt_len, const unsigned char *ikm, int ikm_len, 
const unsigned char *info, int info_len, 
uint8 t okm[ ], int okm len); 
extern int hkdfExtract(SHAversion whichSha, const unsigned char *salt, 
int salt len, const unsigned char *ikm, 
int ikm len, uint8 t prk[USHAMaxHashSize]l); 
extern int hkdfExpand(SHAversion whichSha, const uint8 t prk[ ], 
int prk len, const unsigned char *info, 
int info len, uint8 t okm[ 1, int okm len); 


/* 
* HKDF HMAC-based Extract-and-Expand Key Derivation Function, 
* RFC 5869, for all SHAs. 
* This interface allows any length of text input to be used. 
у 
extern int hkdfReset (HKDFContext *context, enum SHAversion whichSha, 
const unsigned char *salt, int salt_len); 
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extern int hkdfInput (HKDFContext *context, const unsigned char *ikm, 
int ikm len); 
extern int hkdfFinalBits (HKDFContext *context, uint8 t ikm bits, 
unsigned int ikm bit count); 
extern int hkdfResult (HKDFContext *context, 
uint8 t prk[USHAMaxHashSize], 
const unsigned char *info, int info len, 
uint8 t okm[USHAMaxHashSize], int okm len); 
#fendif /* SHAH */ 


8.1.2. stdint-example.h 


If your system does not have «stdint.h», the following should be 
adequate as a substitute for compiling the other code in this document. 


f RKCKCKCk kk ck KKK KKK KKK KK KK KK stdint-example.h ЖКЖ ККЖ ke e ke КК / 


/**** Use this file if your system does not have a stdint.h. ***/ 
d See RFC 6234 for details. хх К / 
#ifndef STDINT_H 
#define STDINT_H 


typedef unsigned long long uint64_t; /* unsigned 64-bit integer */ 
typedef unsigned int uint32 t; /* unsigned 32-bit integer */ 
typedef unsigned char uint8 t; /* unsigned 8-bit integer */ 
/* (i.e., unsigned char) */ 
typedef int int least32 t; /* integer of »- 32 bits */ 
typedef short int Іеаѕі16 t; /* integer of »- 16 bits */ 


#endif /* STDINT н */ 
8.1.3. sha-private.h 


The sha-private.h header file contains definitions that should only 
be needed internally in the other code in this document. These 
definitions should not be needed in application code calling the code 
provided in this document. 


[RK KK KKK KKK KKK KK KKK KKK KKK sha-private.h KOK KKK KK OK KK KK ke ke e Ж / 


[KRKKKKKKK KKK KKK KKK See RFC 6234 for details. KOR KK KK KKK Ж / 
#ifndef 5НА PRIVATE Н 
#define ЗНА PRIVATE Н 
/* 
These definitions are defined in FIPS 180-3, section 4.1. 
Ch() and Maj() are defined identically in sections 4.1.1, 
* 4.1.2, and 4.1.3. 


* x 


The definitions used in FIPS 180-3 are as follows: 


Ж/ 
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#ifndef USE_MODIFIED_MACROS 


#define SHA Ch(x,y,z) (((х) в (у)) ^ (C (x)) в (z))) 

fdefine SHA Maj(x,y,z) (((х) в (y)) ^ ((x) & (2)) ^ (Cy) & (z))) 
#else /* USE MODIFIED MACROS */ 

/ * 


* The following definitions are equivalent and potentially faster. 


*/ 


#define SHA_Ch(x, у, 7) (((x) в ((y) ^ (2))) ^ (z)) 

#define SHA Maj(x, y, z) (((х) & ((у) | (z))) | (y) 12143 
dendif /* USE MODIFIED MACROS */ 

fdefine SHA Parity(x, y, z) ((x) ^ (y) ^ (z)) 


#endif /* 5НА PRIVATE Н */ 
8.2. The SHA Code 


This code is primarily intended as expository reference code and 
could be optimized further. For example, the assignment rotations 
through the variables a, b, ..., h could be treated as a cycle and 
the loop unrolled, rather than doing the explicit copying. 


Note that there are alternative representations of the Ch() and Maj() 
functions controlled by an ifdef. 


8.2.1. shal.c 


[RK KK KKK KKK KK KK KKK KKK KKK ke ke Ж К К shal.c KOK KK ck kck ck KK KK KK KK e k kx Ж / 


[RKKKKKKK KKK KKK KKK See RFC 6234 for details. KOK KK KK KK KK KK KK KK / 
/* Copyright (c) 2011 IETF Trust and the persons identified as */ 
/* authors of the code. All rights reserved. */ 
/* See sha.h for terms of use and redistribution. i 


/ 
Description: 
This file implements the Secure Hash Algorithm SHA-1 
as defined in the U.S. National Institute of Standards 
and Technology Federal Information Processing Standards 
Publication (FIPS PUB) 180-3 published in October 2008 
and formerly defined in its predecessors, FIPS PUB 180-1 
and FIP PUB 180-2. 


A combined document showing all algorithms is available at 
http://csrc.nist.gov/publications/fips/ 
fips180-3/fips180-3 final.pdf 


+ + + + ж ж ж ж ж ж ж ж X 
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/ 


The SHA-1 algorithm produces а 160-bit message digest for a 
given data stream that can serve as a means of providing a 
"fingerprint" for a message. 


Portability Issues: 


SHA-1 is defined in terms of 32-bit "words". This code 
uses «stdint.h» (included via "sha.h") to define 32- and 
8-bit unsigned integer types. If your C compiler does 
not support 32-bit unsigned integers, this code is not 
appropriate. 

Caveats: 


SHA-1 is designed to work with messages less than 2^64 bits 
long. This implementation uses SHAlInput() to hash the bits 
that are a multiple of the size of an 8-bit octet, and then 
optionally uses SHAlFinalBits() to hash the final few bits of 
the input. 


finclude "sha.h" 
#include "sha-private.h" 


/ * 


* 


x% 


Define the SHA1 circular left shift macro 


#define SHA1 ROTL(bits,word) \ 


/* 


(((word) << (bits)) | ((word) >> (32-(bits)))) 


* Add "length" to the length. 
* Set Corrupted when overflow has occurred. 


Ж/ 


static uint32_t addTemp; 


#define SHAlAddLength (context, length) 
(addTemp = (context) ->Length_Low, 


- Ww, 


(context)-»Corrupted = 
(((context)-»Length Low += (length)) < addTemp) && \ 
(**(context)-»Length High == 0) ? shaInputTooLong \ 

(context)-»Corrupted ) 


/* Local Function Prototypes */ 

static void SHAlProcessMessageBlock(SHAlContext *context); 

static void SHAlFinalize(SHAlContext *context, uint8 t Pad Byte); 
static void SHAlPadMessage(SHAlContext *context, uint8 t Pad Byte); 
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SHA1Reset 


Description: 
This function will initialize the SHAlContext in preparation 
for computing a new 5НА1 message digest. 


Parameters: 
context: [in/out] 
The context to reset. 


Returns: 
sha Error Code. 


+ ж X ож ож ж ж ж ж ж ж ж ж ж ж 


/ 
int SHAlReset(SHAlContext *context) 
{ 


if (!context) return shaNull; 


context-»Length High = context-»Length Low = 0; 
context-»Message Block Index = 0; 


/* Initial Hash Values: FIPS 180-3 section 5.3.1 */ 


context-»Intermediate Hash[0] = 0x67452301; 
context-»Intermediate Hash[1] = OxEFCDAB89; 
context-»Intermediate Hash[2] = 0x98BADCFE; 
context-»Intermediate Hash[3] = 0x10325476; 
context-»Intermediate Hash[4] = 0хС3р2Е1ЕО/ 
context-»Computed = 0; 

context->Corrupted = shaSuccess; 


return shaSuccess; 


/* 
% SHAlInput 

* 

* Description: 

* This function accepts an array of octets as the next portion 
* of the message. 

* 

* Parameters: 

* context: [in/out] 

Е The SHA context to update. 

* message_array[ ]: [in] 

* An array of octets representing the next portion of 

* 


the message. 
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length: [in] 
The length of the message in message_array. 


Returns: 
sha Error Code. 


+ + x ж ож ж ж 


int SHAlInput(SHAlContext *context, 
const uint8_t *message_array, unsigned length) 


if (!context) return shaNull; 

if (!length) return shaSuccess; 

if (!message array) return shaNull; 
( 
( 


if (context-»Computed) return context-»Corrupted = shaStateError; 
if (context-»Corrupted) return context-»Corrupteg; 
while (length--) { 


context-»Message Block[context-»Message Block Іпаех++] = 
*message array; 


if ((SHAlAddLength(context, 8) == shaSuccess) && 
(context-»Message Block Index == SHA1 Message Block Size)) 
SHAlProcessMessageBlock (context); 


message аггау++; 


} 


return context-»Corruptegd; 


/ж 
* SHAlFinalBits 

* 

* Description: 

* This function will add in any final bits of the message. 

* 

* Parameters: 

* context: [in/out] 

й The SHA context to update. 

Ж message bits: [in] 

* The final bits of the message, in the upper portion of the 
1 byte. (Use Ob###00000 instead of 05000000444 to input the 
Ы three bits ###.) 

* length: [in] 

* The number of bits in message bits, between 1 and 7. 

* 

* Returns: 

* 


sha Error Code. 
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*/ 
int SHAlFinalBits (SHAlContext *context, uint8 t message bits, 
unsigned int length) 
{ 
static uint8_t masks[8] = { 
/* 0 0500000000 */ 0x00, /* 
/* 2 0b11000000 х/ 0OxCO, /* 
/* 4 0b11110000 */ OxFO, /* 
/* 6 0b11111100 */ OxFC, /* 


0010000000 */ 0x80, 
0011100000 */ OxEO, 
0011111000 */ OxF8, 
0011111110 */ OxFE 


чоло н 


у; 


static uint8_t markbit[8] = { 
/* 0 0610000000 */ 0x80, /* 
/* 2 0500100000 */ 0x20, /* 
/* 4 0600001000 */ 0x08, /* 
/* 6 0500000010 */ 0x02, /* 


0501000000 */ 0x40, 
0500010000 */ 0x10, 
0000000100 */ 0x04, 
0000000001 */ 0x01 


чоло н 


у; 


if (!context) return shaNull; 

if (!length) return shaSuccess; 

if (context-»Corrupted) return context-—>Corrupted; 

if (context-»Computed) return context-»Corrupted = shaStateError; 
if (length >= 8) return context-»Corrupted = shaBadParam; 


SHAlAddLength(context, length); 
SHA1Finalize (context, 


(uint8 t) ((message bits 8 masks[length] ) | markbit [length])); 


return context-—>Corrupted; 


/* 

* SHAlResult 

* 

* Description: 

* This function will return the 160-bit message digest 

* into the Message_Digest array provided by the caller. 

* NOTE: 

x The first octet of hash is stored in the element with index 0, 
Ж the last octet of hash in the element with index 19. 
* 

* Parameters: 

* context: [in/out] 

Е The context to use to calculate the ЅНА-1 hash. 

Е Message Digest[ 1: [out] 

* Where the digest is returned. 

* 
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* Returns: 


* sha Error Code. 
* 


*/ 
int SHAlResult(SHAlContext *context, 
uint8 t Message Digest[SHAlHashSize]) 
{ 


int i; 


if (!context) return shaNull; 
if (!Message Digest) return shaNull; 
if (context-»Corrupted) return context-»Corrupteg; 


if (!context-»Computed) 
SHAlFinalize(context, 0x80); 


for (i = 0; i < SHAlHashSize; ++i) 
Message Digest[i] = (uint8 t) (context-»Intermediate Hash[i»»2] 


>> (8 * (3- (i & 0x03 ) ))); 


return shaSuccess; 


/* 
* SHAlProcessMessageBlock 

Ж 

* Description: 

2 This helper function will process the next 512 bits of the 
* message stored in the Message Block array. 

* 

* Parameters: 

* context: [in/out] 

А The SHA context to update. 

* 

* Returns: 

* Nothing. 

* 

* Comments: 

Е Many of the variable names in this code, especially the 

* single character names, were used because those were the 

X names used in the Secure Hash Standard. 

*/ 


static void SHAlProcessMessageBlock(SHAlContext *context) 
{ 
/* Constants defined in FIPS 180-3, section 4.2.1 */ 
const uint32_t K[4] = { 
0x5A827999, Ox6ED9EBA1, Ox8F1BBCDC, OxCA62C1D6 
}; 
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int 
uint32 t 


uint32 t 
uint32 t 


/ * 


* Initialize the first 16 words in the array 


*/ 
for (t 
W[t] 
W[t] 
W[t] 
W[t] 
} 


0; t < 16; ++) 4 


(( 
(( 
(( 
(( 


) 
uint32 t) 
) 


t) 
W[t-3] 


for (t = 16; t < 80; 
W[t] = 5НА1 ROTL(1, ^ W[t-8] 
= context-»Intermediate Hash[0]; 
context-»Intermediate Hash[1]; 
context-»Intermediate Hash[2]; 
context-»Intermediate Hash[3]; 
context-»Intermediate Hash[4]; 


шоо» 


= 0; t < 20; 
5НА1 ROTL(5,A) 


++) { 
+ SHA Ch(B, C, 


D; 

C; 
SHA1_ROTL(30,B); 
A; 

temp; 


20; t < 40; t++) { 
SHA1_ROTL(5,A) + ЗНА Parity(B, 


SHA1_ROTL(30,B); 
A; 
temp; 


= 40; t < 60; +++) { 
SHA1_ROTL(5,A) + SHA Мај (В, C, 


5НА1 ROTL(30,B); 
A; 


uint32 t)context-»Message Block[t 
uint32 t)context-»Message Block[t 
context-»Message Block[t 
uint32 t)context-»Message Block[t 


^ W[t-14] 


Informational 


and HKDF May 2011 


Loop counter */ 
Temporary word value 
Word sequence */ 
Word buffers */ 


«« 24; 

1]) << 16; 
21) << 8; 
31); 


ж ж ж ж 


^ W[t-16]); 


D) + E + W[t] + K[0]; 


C, D) + E + Wt] + К(11; 


D) + E + W[t] + КІ21; 
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A = temp; 


for (t = 60; t < 80; +++) { 
temp = 5НА1 ROTL(5,A) + SHA_Parity(B, C, D) + E + W[t] + K[3]; 


E = D; 

D = С; 

С = SHA1_ROTL(30,B); 
B = A; 

A = temp; 


} 


context->Intermediate_Hash[0] += A 
context->Intermediate_Hash[1] += B 
context->Intermediate_Hash[2] += C; 
context->Intermediate_Hash[3] += D 
context->Intermediate_Hash[4] += E 
context->Message_Block_Index = 0; 


} 

/* 

* SHAlFinalize 

* 

* Description: 

* This helper function finishes off the digest calculations. 

* 

* Parameters: 

* context: [in/out] 

* The SHA context to update. 

* Pad Byte: [in] 

Е The last byte to ааа to the message block before the 0-padding 
* and length. This will contain the last bits of the message 
Е followed by another single bit. If the message was ап 

> exact multiple of 8-bits long, Pad Byte will be 0x80. 

* 

* Returns: 

Ж sha Error Code. 

* 

*/ 


static void SHAlFinalize(SHAlContext *context, uint8 t Pad Byte) 
{ 

int i; 

SHA1PadMessage (context, Pad Byte); 

/* message may be sensitive, clear it out */ 

for (і = 0; i < 5НА1 Message Block Size; ++i) 

context-»Message Block[i] = 0; 
context-»Length High = 0; /* and clear length */ 
context-»Length Low = 0; 
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} 


context-»Computed = 1; 


SHAlPadMessage 


Description: 
According to the standard, the message must be padded to the next 
even multiple of 512 bits. The first padding bit must be а "1". 
The last 64 bits represent the length of the original message. 
All bits in between should be 0. This helper function will pad 
the message according to those rules by filling the Message Block 
array accordingly. When it returns, it can be assumed that the 
message digest has been computed. 


Parameters: 

context: [in/out] 
The context to pad. 

Pad Byte: [in] 
The last byte to add to the message block before the 0-padding 
and length. This will contain the last bits of the message 
followed by another single bit. If the message was an 
exact multiple of 8-bits long, Pad Byte will be 0x80. 


+ + + + ж ж ж ж ж ж ж ж ж ж ж ж ж ж ж Ro Ro X 


Returns: 
Nothing. 


ж 


A 


static void SHAlPadMessage(SHAlContext *context, uint8 t Pad Byte) 


{ 


/* 
* Check to see if the current message block is too small to hold 
* the initial padding bits and length. If so, we will pad the 
* block, process it, and then continue padding into a second 
* block. 
*/ 

if (context-»Message Block Index >= (5НА1 Message Block Size - 8)) ( 
context-»Message Block[context-»Message Block Іпаех++] = Pad Byte; 
while (context-»Message Block Index < SHA1 Message Block Size) 

context-»Message Block[context-»Message Block Іпаех++] = 0; 


SHAlProcessMessageBlock (context); 
) else 
context-»Message Block[context-»Message Block Іпаех++] = Pad Byte; 


while (context-»Message Block Index < (5НА1 Message Block Size - 8)) 
context-»Message Block[context-»Message Block Іпаех++] = 0; 
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/* 
* Store the message length as the last 8 octets 
xf 
context-»Message Block[56] = (uint8 t) (context-»Length High >> 24); 
context-»Message Block[57] = (uint8 t) (context-»Length High >> 16); 
context-»Message Block[58] = (uint8 t) (context-»Length High >> 8); 
context-»Message Block[59] = (uint8 t) (context-»Length High); 
context-»Message Block[60] = (uint8 t) (context-»Length Low >> 24); 
context-»Message Block[61] = (uint8 t) (context-»Length Low >> 16); 
context-»Message Block[62] = (uint8 t) (context-»Length Low >> 8); 
context-»Message Block[63] = (uint8 t) (context-»Length Low); 


SHAlProcessMessageBlock (context); 


} 


8.2.2. sha224-256.c 


[KKK KKK KKK KK KKK KKK KKK KK KKK sha224-256.c АА 


[**Ж*Ж**Х***хх*ххх Ж бее РЕС 6234 for details. KOR KKK KK RK KK KK KK KK / 
/* Copyright (c) 2011 IETF Trust and the persons identified as */ 


/* authors of the code. All rights reserved. */ 
/* See sha.h for terms of use and redistribution. х/ 
/ 


Description: 
This file implements the Secure Hash Algorithms SHA-224 and 
SHA-256 as defined in the U.S. National Institute of Standards 
and Technology Federal Information Processing Standards 
Publication (FIPS PUB) 180-3 published in October 2008 
and formerly defined in its predecessors, FIPS PUB 180-1 
and FIP PUB 180-2. 


A combined document showing all algorithms is available at 
http://csrc.nist.gov/publications/fips/ 
fips180-3/fips180-3 final.pdf 


The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit 
message digests for a given data stream. It should take about 
2**n steps to find a message with the same digest as a given 
message and 2**(n/2) to find any two messages with the same 
digest, when n is the digest size in bits. Therefore, this 
algorithm can serve as a means of providing a 

"fingerprint" for a message. 


Portability Issues: 
SHA-224 and SHA-256 are defined in terms of 32-bit "words". 
This code uses «stdint.h» (included via "sha.h") to define 32- 
and 8-bit unsigned integer types. If your C compiler does not 
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support 32-bit unsigned integers, this code is not 
appropriate. 


Caveats: 
SHA-224 and SHA-256 are designed to work with messages less 
than 2^64 bits long. This implementation uses SHA224/256Input () 
to hash the bits that are a multiple of the size of an 8-bit 
octet, and then optionally uses SHA224/256FinalBits() 
to hash the final few bits of the input. 


+ + + ж ж ж ж oo X 


/ 


#include "sha.n" 
#include "sha-private.h" 


/* Define the SHA shift, rotate left, and rotate right macros */ 


#define SHA256_SHR(bits, word) ((word) >> (bits) ) 

#define SHA256_ROTL (bits, word) \ 
(((word) << (bits)) | ((word) >> (32-(bits)))) 

#define SHA256_ROTR(bits, word) \ 
(((word) >> (bits)) | ((word) << (32-(bits)))) 


/* Define the SHA SIGMA and sigma macros */ 
#define SHA256_SIGMAO (word) \ 

(SHA256 ROTR( 2,word) ^ SHA256 ROTR(13,word) ^ SHA256 ROTR(22,word)) 
#define SHA256 51СМА1 (word) N 

(ЗНА256 ROTR( 6,word) ^ SHA256 ROTR(11,word) ^ 5НА256 ROTR(25,word)) 


#define SHA256 sigma0 (word) N 
(SHA256 ROTR( 7,word) ^ SHA256 ROTR(18,word) ^ SHA256 SHR( 3,word)) 
#define SHA256 sigmal (word) N 


(SHA256 ROTR(17,word) ^ SHA256 ROTR(19,word) ^ SHA256 SHR(10,word)) 


/* 
* Add "length" to the length. 
* Set Corrupted when overflow has occurred. 
ж 
static uint32_t addTemp; 
#define SHA224 256AddLength (context, length) \ 
(addTemp = (context)-»Length Low, (context)->Corrupted = х 
(( (context) ->Length_Low += (length)) < адаТетр) && \ 
(++ (context) ->Length_High == 0) ? shaInputTooLong \ 
(context) ->Corrupted ) 


/* Local Function Prototypes */ 
static int 5НА224 256Reset(SHA256Context *context, uint32 t *H0); 
static void SHA224 256ProcessMessageBlock(SHA256Context *context); 
static void SHA224 256Finalize(SHA256Context *context, 

uint8 t Pad Byte); 
static void SHA224 256PadMessage(SHA256Context *context, 


Eastlake & Hansen Informational [Page 40] 


RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 


uint8_t Pad Byte); 
static int SHA224 256ResultN(SHA256Context *context, 
uint8 t Message Digest[ ], int HashSize); 


/* Initial Hash Values: FIPS 180-3 section 5.3.2 */ 
static uint32 t SHA224 HO[SHA256HashSize/4] = { 
OxC1059ED8, 0x367CD507, 0x3070DD17, 0хЕ70Е5939, 
OxFFCOOB31, 0x68581511, Ox64F98FA7, OxBEFA4FA4 
у; 


/* Initial Hash Values: FIPS 180-3 section 5.3.3 */ 

static uint32_t SHA256_HO[SHA256HashSize/4] = { 
0х6А09Е667, OxBB67AE85, Ox3C6EF372, OxA5AFF53A, 
0х510Е527Е, 0x9B05688C, Ox1F83D9AB, Ox5BEOCD19 


у; 


М. 


+ + + + ж ж ж ж ж ж ж ж ж ж 


SHA224Reset 


Description: 
This function will initialize the SHA224Context in preparation 
for computing a new SHA224 message digest. 


Parameters: 
context: [in/out] 
The context to reset. 


Returns: 
sha Error Code. 
/ 
int SHA224Reset (SHA224Context *context) 
{ 
return SHA224 256Reset (context, SHA224 H0); 
} 


/* 

* SHA224Input 

* 

* Description: 

2 This function accepts ап array of octets аз the next portion 
* of the message. 

* 

* Parameters: 

* context: [in/out] 

ui The SHA context to update. 

* message array[ ]: [in] 

Ж An array of octets representing the next portion of 
* 


the message. 
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length: [in] 
The length of the message in message_array. 


Returns: 
sha Error Code. 


+ + ож Xo ж ж ж 


/ 

int SHA224Input (SHA224Context *context, const uint8_t *message_array, 
unsigned int length) 

{ 

return SHA256Input (context, message_array, length); 


} 


SHA224FinalBits 


Description: 
This function will add in any final bits of the message. 


Parameters: 

context: [in/out] 
The SHA context to update. 

message_bits: [in] 
The final bits of the message, in the upper portion of the 
byte. (Use Ob###00000 instead of 0b00000444 to input the 
three bits ###.) 

length: [in] 
The number of bits in message_bits, between 1 and 7. 


Returns: 
sha Error Code. 


+ + ож ож + ж ж ж ж ж ж ж ж ж ж ж ж ж ж 


/ 
int SHA224FinalBits (SHA224Context *context, 
uint8_t message_bits, unsigned int length) 
{ 
return SHA256FinalBits (context, message_bits, length); 
} 


/* 
* SHA224Result 

* 

* Description: 

* This function will return the 224-bit message digest 

* into the Message Digest array provided by the caller. 

* NOTE: 

* The first octet of hash is stored in the element with index 0, 
* the last octet of hash in the element with index 27. 

* 
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Parameters: 
context: [in/out] 
The context to use to calculate the SHA hash. 
Message Digest[ ]: [out] 
Where the digest is returned. 


+ + xo X ж ж ж 


Returns: 

Ж sha Error Code. 

*/ 
int SHA224Result(SHA224Context *context, 

uint8 t Message Digest[SHA224HashSize]) 

{ 

return SHA224 256ResultN(context, Message Digest, SHA224HashSize) ; 
} 


М. 


+ + + + ж ж ж ж ж ж ж ж ж ж 


SHA256Reset 


Description: 
This function will initialize the SHA256Context in preparation 
for computing a new SHA256 message digest. 


Parameters: 
context: [in/out] 
The context to reset. 


Returns: 
sha Error Code. 
/ 
int SHA256Reset (SHA256Context *context) 
{ 
return SHA224 256Reset (context, 5НА256 НО); 
} 


SHA256Input 


Description: 
This function accepts an array of octets as the next portion 
of the message. 


Parameters: 
context: [in/out] 
The SHA context to update. 
message_array[ ]: [in] 
An array of octets representing the next portion of 
the message. 


+ + + + ж ж ж ж ж ж ж ж X 
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length: [in] 
The length of the message in message_array. 


Returns: 
sha Error Code. 


ж ж ож ож ж ж 


/ 
int SHA256Input(SHA256Context *context, const uint8 t *message array, 
unsigned int length) 
( 
if (!context) return shaNull; 
if (!length) return shaSuccess; 
if (!message array) return shaNull; 
( 
( 


if (context-»Computed) return context-»Corrupted = shaStateError; 
if (context-»Corrupted) return context-»Corrupteg; 
while (length--) { 


context-»Message Block[context-»Message Block Іпаех++] = 
*message array; 


if ((SHA224 256AddLength(context, 8) == shaSuccess) && 
(context-»Message Block Index == SHA256 Message Block Size)) 
SHA224 256ProcessMessageBlock (context); 


message аггау++; 


} 


return context-—>Corrupted; 


SHA256FinalBits 


Description: 
This function will add in any final bits of the message. 


Parameters: 

context: [in/out] 
The SHA context to update. 

message_bits: [in] 
The final bits of the message, in the upper portion of the 
byte. (Use Ob###00000 instead of 05000000444 to input the 
three bits ###.) 

length: [in] 
The number of bits in message bits, between 1 and 7. 


Returns: 
sha Error Code. 


+ + + + + ж ж ж ж ж ж ж ж ж ж Ro Ro X 
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*/ 
int SHA256FinalBits(SHA256Context *context, 
uint8 t message bits, unsigned int length) 
{ 
static uint8_t masks[8] = { 
/* 0 0500000000 */ 0x00, /* 
/* 2 0b11000000 х/ 0OxCO, /* 
/* 4 0b11110000 */ OxFO, /* 
/* 6 0b11111100 */ OxFC, /* 


0010000000 */ 0x80, 
0011100000 */ OxEO, 
0011111000 */ OxF8, 
0011111110 */ OxFE 


чоло н 


у; 

static uint8_t markbit[8] = { 
/* 0 0b10000000 */ 0x80, /* 
/* 2 0600100000 */ 0x20, /* 
/* 4 0500001000 */ 0x08, /* 
/* 6 0600000010 */ 0x02, /* 


0501000000 */ 0x40, 
0500010000 */ 0x10, 
0000000100 */ 0x04, 
0000000001 */ 0x01 


чоло н 


у; 


if (!context) return shaNull; 

if (!length) return shaSuccess; 

if (context-»Corrupted) return context-—>Corrupted; 

if (context-»Computed) return context-»Corrupted = shaStateError; 
if (length >= 8) return context-»Corrupted = shaBadParam; 


SHA224 256AddLength(context, length); 
SHA224 256Finalize(context, (uint8 t) 
((message bits & masks[length]) | markbit[length])); 


return context-»Corruptegd; 


/* 

* SHA256Result 

* 

* Description: 

* This function will return the 256-bit message digest 
* into the Message Digest array provided by the caller. 
* NOTE: 

Ж The first octet of hash is stored in the element with index 0, 
X the last octet of hash in the element with index 31. 
* 

* Parameters: 

* context: [in/out] 

* The context to use to calculate the SHA hash. 

* Message Digest[ ]: [out] 

* Where the digest is returned. 

* 

* Returns: 

* 


sha Error Code. 
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ЫГ 
int SHA256Result (SHA256Context *context, 
uint8_t Message Digest[SHA256HashSize]) 
{ 
return SHA224 256ResultN(context, Message Digest, SHA256HashSize) ; 
} 


SHA224 256Reset 


Description: 
This helper function will initialize the SHA256Context in 
preparation for computing a new SHA-224 or SHA-256 message digest. 


Parameters: 
context: [in/out] 
The context to reset. 
HO[ ]: [in] 
The initial hash value array to use. 


+ + ox ож ж ж ж ж ж ж ж ж ж ж 


Returns: 
sha Error Code. 


+ 


*/ 
static int SHA224 256Reset(SHA256Context *context, uint32 t *HO0) 
{ 


if (!context) return shaNull; 


context-»Length High = context-»Length Low = 0; 


context-»Message Block Index = 0; 

context-»Intermediate Hash[0] = НО(01, 
context-»Intermediate Hash[1] = HO[1]; 
context-»Intermediate Hash[2] = НО(21, 
context-»Intermediate Hash[3] = НО(31, 
context-»Intermediate Hash[4] = НО(41, 
context-»Intermediate Hash[5] = НО(51, 
context-»Intermediate Hash[6] = НО(61, 
context-»Intermediate Hash[7] = HO[7]; 


context-»Computed = 0; 
context-»Corrupted = shaSuccess; 


return shaSuccess; 


} 
/ж 


* SHA224 256ProcessMessageBlock 
* 
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* Description: 

Е This helper function will process the next 512 bits of the 
* message stored in the Message Block array. 

* 

* Parameters: 

Ы context: [in/out] 

* The SHA context to update. 

* 

* Returns: 

* Nothing. 

* 

* Comments: 

* Many of the variable names in this code, especially the 
2 single character names, меге used because those were the 
Ж names used in the Secure Hash Standard. 

AY 


static void SHA224 256ProcessMessageBlock(SHA256Context *context) 


{ 


/* Constants defined in FIPS 180-3, 


static const uint32_t K[64] 


у; 


int 


uint32_t 
uint32_t 
uint32 t 


/ * 


0x428a2f98, 
0x59f111f1, 
0x243185be, 
Oxc19bf174, 
0х24е92с6Е, 
0ха831с664, 
0х06са6351, 
0х53380413, 
Oxa2bfe8al, 
0xd6990624, 
0х2748774с, 
0x682e6ff3, 
Ox90befffa, 


t, 


0x71374491, 
0x923f82a4, 
0x550c7dc3, 
0хе49р69с1, 
0х4а7484аа, 
0хр00327с8, 
0х14292967, 
0х650а7354, 
Oxa81a664b, 
0х#40е3585, 
0x34b0bcb5, 
0x748f82ee, 
0ха4506сер, 


t4; 
templ, 
W[64]; 
A, B, 


temp2; 


с, 


zd 

Oxb5cOfbcf, 
0хар1с5е45, 
0х72ре5474, 
Oxefbe4786, 
Ox5cb0a9dc, 
0хрЕ597Ёс7, 
0x27b70a85, 
0x766a0abb, 
Oxc24b8b70, 
0x106aa070, 
0x391c0cb3, 
0x78a5636f, 
Oxbef9a3fT, 


/ * 
/ * 
/ * 
/ * 


section 4.2.2 */ 


Oxe9b5dba5, 
0х4807аа98, 
0x80deblfe, 
0х0Ғс19(4с6, 
0x76f988da, 
0xc6e00bf3, 
Ох2е1р2138, 
0x81c2c92e, 
0хс76с51а3, 
0x19a4c116, 
0х4е48аа4а, 
0x84c87814, 
0хс67178Е2 


0x3956c25b, 
0х12835Ю01, 
0х9р4с06а7, 
0х240са1сс, 
0х983е5152, 
0xd5a79147, 
0х442с64Ёс, 
0x92722c85, 
0xd192e819, 
0x1e376c08, 
Ox5b9cca4f, 
0x8cc70208, 


Loop counter */ 
Temporary word value */ 
Word sequence */ 

Word buffers */ 


* Initialize the first 16 words in the array W 


*/ 


for 
W[t] 


Eastl 


(t = t4 = 
(CC 
(CC 
(С 
(С 


ake & Hansen 


0; 
uint32_t 
uint32_t 
uint32_t 
uint32_t 


t < 16; 


м2 м2 ме ме 


ttt, 
context-»Message Block[t4]) 
context-»Message Block[t4 + 
context-»Message Block[t4 + 
context-»Message Block[t4 + 


t4 += 4) 


Informational 


«« 24) | 
11) 
21) 
31)); 


«« 16) | 
«« 8) | 
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for (t = 16; t < 64; t++) 
W[t] = SHA256 sigmal(W[t-2]) + W[t-7] + 
SHA256_sigmaO (W[t-15]) + W[t-16]; 


= context-»Intermediate Hash[6]; 
= context-»Intermediate Наѕһ [7]; 


A = context-»Intermediate Hash[0]; 
В = context-»Intermediate Hash[1]; 
С = context-»Intermediate Hash[2]; 
D = context-»Intermediate Hash[3]; 
E = context-»Intermediate Hash[4]; 
F = context-»Intermediate Hash[5]; 
G 

H 


for (t = 0; t < 64; ttt) { 
templ = H + 5НА256 51СМА1(Е) + SHA Ch(E,F,G) + K[t] + W[t]; 
temp2 SHA256_SIGMAO (A) + SHA Мај (А,В,С); 
= G; 


PWAUVHAAADA 
ll 
Q 


= templ + temp2; 
} 


context-»Intermediate Hash[0] += A; 
context-»Intermediate Hash[1] += B; 
context-»Intermediate Hash[2] += C; 
context-»Intermediate Hash[3] += D; 
context-»Intermediate Hash[4] += E; 
context-»Intermediate Hash[5] += Е; 
context-»Intermediate Hash[6] += G; 
context-»Intermediate Hash[7] += H; 
context-»Message Block Index = 0; 


SHA224 256Finalize 


Description: 
This helper function finishes off the digest calculations. 


Parameters: 
context: [in/out] 
The SHA context to update. 
Pad Byte: [in] 


+ + + + ж ж ж ж ж ж 
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The last byte to add to the message block before the 0-padding 
and length. This will contain the last bits of the message 
followed by another single bit. If the message was an 
exact multiple of 8-bits long, Pad Byte will be 0x80. 

Returns: 
sha Error Code. 


static void SHA224 256Finalize(SHA256Context *context, 


{ 
i 
S 
/ 


uint8 t Pad Byte) 


nt. i; 
НА224 256PadMessage (context, Pad Byte); 
* message may be sensitive, so clear it out */ 


for (1 = 0; i < SHA256 Message Block Size; ++i) 


с 
с 
с 


+ + ож + ж ж ж ж ж ж ж ж ж ж ж Жж ж ж ж ж Ro ж 


ж 


ж/ 


static void 5НА224 256PadMessage (SHA256Context *context, 


{ 


Eas 


context-»Message Block[i] = 0; 

ontext-»Length High = 0; /* and clear length */ 
ontext-»Length Low = 0; 
ontext-»Computed - 1; 


SHA224 256PadMessage 


Description: 


According to the standard, the message must be padded to the next 
even multiple of 512 bits. The first padding bit must be а "1". 
The last 64 bits represent the length of the original message. 
All bits in between should be 0. This helper function will pad 


the message according to those rules by filling the 


Message Block array accordingly. When it returns, 
assumed that the message digest has been computed. 


Parameters: 
context: [in/out] 
The context to pad. 
Pad Byte: [in] 


it can be 


The last byte to add to the message block before the 0-padding 
and length. This will contain the last bits of the message 


followed by another single bit. If the message was an 
exact multiple of 8-bits long, Pad Byte will be 0x80. 


Returns: 
Nothing. 


uint8 t Pad Byte) 
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too small to hold 
we will pad the 
into a second 


Check to see if the current message block is 
the initial padding bits and length. If so, 
block, process it, and then continue padding 
block. 

Хи 
if (context-»Message Block Index >= 
context-»Message Block[context-»Message Block Index-t-*] 


(SHA256 Message Block Size-8)) { 
Pad Byte; 


while (context-»Message Block Index < SHA256 Message Block Size) 
context-»Message Block[context-»Message Block Іпаех++] = 0; 
SHA224 256ProcessMessageBlock (context); 
) else 
context-»Message Block[context-»Message Block Index-**] = Pad Byte; 


while (context-»Message Block Index < (SHA256 Message Block Size-8)) 

context-»Message Block[context-»Message Block Іпаех++] = 0; 
/* 

* Store the message length as the last 8 octets 

*/ 
context-»Message Block[56] = (uint8 t) (context->Length_High >> 24); 
context-»Message Block[57] = (uint8 t) (context->Length_High >> 16); 
context-»Message Block[58] = (uint8 t) (context-»Length High >> 8); 
context-»Message Block[59] = (uint8 t) (context-»Length High); 
context-»Message Block[60] = (uint8 t) (context-»Length Low >> 24); 
context-»Message Block[61] = (uint8 t) (context-»Length Low >> 16); 
context-»Message Block[62] = (uint8 t) (context-»Length Low >> 8); 
context-»Message Block[63] = (uint8 t) (context-»Length Low); 


SHA224 256ProcessMessageBlock (context); 


SHA224 256ResultN 


Description: 
This helper function will return the 224-bit or 256-bit message 
digest into the Message Digest array provided by the caller. 
NOTE: 
The first octet of hash is stored in the element with index 0, 
the last octet of hash in the element with index 27/31. 


Parameters: 
context: [in/out] 
The context to use to calculate the SHA hash. 
Message Digest[ ]: [out] 
Where the digest is returned. 
HashSize: [in] 
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ж ж ж 


ж 


ж 


st 


{ 


} 


8. 


/* 
/* 
/* 
/ж 
/* 


/ 


+ + + + ж ж ж ж ж ж ж ж ж ж X ж 


The size of the hash, either 28 or 32. 
Returns: 
sha Error Code. 
/ 
atic int SHA224 256ResultN(SHA256Context *context, 


uint8 t Message Digest[ ], int HashSize) 
int i; 
if (!context) return shaNull; 
if (!Message Digest) return shaNull; 


if (context-»Corrupted) return context-»Corruptegd; 


if (!context-»Computed) 
SHA224 256Finalize(context, 0x80); 


for (i = 0; i « HashSize; ++i) 
Message Digest[i] = (uint8 t) 
(context-»Intermediate Hash[i»»2] >> 8 * (3- (i & 0x03 ) 


return shaSuccess; 


2.3. sha384-512.c 


ХХХ ХХХ ck ckckckckckck ck ck ck ck ck ck ck ck kc Sha384-512.c KOK KK ck kck ck kck ck ck ck ck kok ck ke ke e ke kx ЖК / 
ACkCkckck ck ck ck ck ck ck ck kc kk See RFC 6234 for details. ЖКК x / 
Copyright (c) 2011 IETF Trust and the persons identified as */ 
authors of the code. All rights reserved. x 
See sha.h for terms of use and redistribution. х/ 


Description: 
This file implements the Secure Hash Algorithms SHA-384 and 


SHA-512 as defined in the U.S. National Institute of Standards 


and Technology Federal Information Processing Standards 
Publication (FIPS PUB) 180-3 published in October 2008 
and formerly defined in its predecessors, FIPS PUB 180-1 
and FIP PUB 180-2. 


A combined document showing all algorithms is available at 
http://csrc.nist.gov/publications/fips/ 
fips180-3/fips180-3 final.pdf 


The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit 
message digests for a given data stream. It should take about 


2**n steps to find a message with the same digest as a given 
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message and 2**(n/2) to find any two messages with the same 
digest, when n is the digest size in bits. Therefore, this 
algorithm can serve as a means of providing a 

"fingerprint" for a message. 


Portability Issues: 


SHA-384 and SHA-512 are defined in terms of 64-bit "words", 
but if USE_32BIT_ONLY is #defined, this code is implemented in 
terms of 32-bit "words". This code uses <stdint.h> (included 
via "sha.h") to define the 64-, 32- and 8-bit unsigned integer 
types. If your C compiler does not support 64-bit unsigned 
integers and you do not #define USE 32BIT ONLY, this code is 
not appropriate. 


Caveats: 


SHA-384 and SHA-512 are designed to work with messages less 


2011 


than 2^128 bits long. This implementation uses SHA384/512Input () 


to hash the bits that are a multiple of the size of an 8-bit 
octet, and then optionally uses SHA384/256FinalBits() 
to hash the final few bits of the input. 


#include "sha.h" 


#ifdef USE 32BIT ONLY 


/ * 


* Define 64-bit arithmetic in terms of 32-bit arithmetic. 
* Each 64-bit number is represented in a 2-word array. 
* All macros are defined such that the result is the last parameter. 


х/ 
/ж 
* Define shift, rotate left, and rotate right functions 
х/ 

#define SHA512 SHR(bits, word, ret) ( \ 
/* (((uint64_t) ((word))) >> (bits)) */ \ 
(ret) [0] = (((bits) < 32) && ((bits) >= 0)) ? \ 

((word) [0] >> (bits)) : 0, \ 
(ret) [1] = ((bits) > 32) ? ((word) [0] >> ((bits) - 32)) \ 
((bits) == 32) ? (word) [0] \ 
((bits) >= 0) ? \ 
(( (word) [0] << (32 - (bits))) | \ 
((word) [1] >> (bits))) : 0) 

#define SHA512 SHL(bits, word, ret) ( N 
/* (((uint64 t) (word)) «« (bits)) */ N 
(ret) [0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) N 
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((bits) == 32) ? 
((bits) >= 0) ? 
(( (word) [0] << 
( (word) [1] >> 


(word) [1] 


(bits)) | 
(32 - (bits)))) 
(ret)[1] = (((bits) « 32) && ((bits) 
<< (bres) : 0) 


/* 
* Define 64-bit OR 
7А 
#define 5НА512 OR(wordl, word2, 
(ret) [0] = (word1) [0] | 
(ret) [1] = (word1) [1] | 


ret) ( 
(word2) [0], 
(word2) [1] ) 


/* 
* Define 64-bit XOR 
*/ 

#define SHA512 XOR(wordl, word2, 

(ret) [0] = (word1)[0] ^ 
(ret) [1] = (мога1) [1] ^ 


ret) ( 
(word2) [0], 
(word2) [1] ) 


/* 
* Define 64-bit AND 
Жу 

#define 5НА512 АМП(юог41, word2, 

(ret) [0] = (мога1) [0] 6 
(ret) [1] = (мога1) [1] в 


ret) ( 
(word2) [0], 
(word2) [1] ) 


/* 
* Define 64-bit TILDA 
А 
#define SHA512 ТІІРА (word, 
( (ret) [0] = ~ (word) [0], 


ret) 
(ret) [1] = ~ (word) [1] ) 
/* 
* Define 64-bit ADD 
*/ 
#define SHA512 ADD(wordl, word2, 
(ret) [1] = (word1)[1], 
(ret) [0] = (word1)[0] + 


ret) ( 
(ret) [1] += (word2) [1], 
(word2) [0] + ((ret) [1] 


/* 
* Add the 4word value in word2 to wordl. 
*/ 

static uint32 t ADDTOA4 temp, Аррто4 temp2; 

#define SHA512 ADDTO4(wordl, word2) ( 

ADDTO4_temp = (wordl)[3], 
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(word1) ІЗІ += (word2) [3], \ 
ADDTO4_temp2 = (word1) [2], \ 
(мога1) [2] += (word2) [2] + ((wordl) [3] < ADDTOA temp), A 
АРрРТО4 temp = (wordl) [1], \ 
(мога1) [1] += (word2) [1] + ((мога1) [2] < ADDTO4_temp2), \ 
(мога1) [0] += (word2) [0] + ((мога1) [1] < ADDTO4_temp) ) 

/* 

* Add the 2word value in word2 to wordl. 

x 

static uint32 t ADDTO2 temp; 

#define SHA512 ADDTO2(wordl, word2) ( N 
ADDTO2 temp = (wordl) [1], N 
(wordl1) [1] += (word2)[1], N 
(мога1) [0] += (word2)[0] + ((wordl1)[1] < ADDTO2 temp) ) 

/* 

* SHA rotate ((word »» bits) | (word «« (64-bits))) 
ur 

static uint32 t ROTR_temp1[2], ROTR temp2[2]; 

#define SHA512 ROTR(bits, word, ret) ( N 
SHA512 SHR((bits), (word), ROTR templ), N 
SHA512 SHL(64-(bits), (word), ROTR temp2), N 


5НА512 OR(ROTR templ1, ROTR temp2, (ret)) ) 


/* 
* Define the SHA SIGMA and sigma macros 


Ж 5НА512 ROTR(28,word) ^ SHA512 ROTR(34,word) ^ SHA512 ROTR(39,word) 
х/ 

static uint32 t SIGMAO templ1[2], SIGMAO temp2[2], 
SIGMAO_temp3[2], SIGMAO temp4[2]; 

#define SHA512 SIGMAO (word, ret) ( 

SHA512 ROTR(28, (word), SIGMAO templ), 

HA512 ROTR(34, (word), SIGMAO temp2), 

HA512 ROTR(39, (word), SIGMAO temp3), 

HA512 XOR(SIGMAO temp2, SIGMAO_temp3, SIGMAO temp4), 

HA512 XOR(SIGMAO templ, SIGMAO temp4, (ret)) ) 


VM УУЛ” 


S 
S 
S 
S 


/* 
х 5НА512 ROTR(14,word) ^ 5НА512 ROTR(18,word) ^ 5НА512 ROTR(41,word) 
*/ 

static uint32 t 51СМА1 templ1[2], 5ІСМА1 temp2[2], 

SIGMA1 temp3[2], 5ІСМА1 temp4[2]; 

#define SHA512 ЗІСМАЇ (мога, ret) ( 

5НА512 ROTR(14, (word), 51СМА1 templ), 
5НА512 ROTR(18, (word), 51СМА1 temp2), 
SHA512 ROTR(41, (word), 5ІСМА1 temp3), 


POE M um 
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SHA512_XOR(SIGMA1_temp2, 5ІСМА1 temp3, 51СМА1 temp4), N 
5НА512 ХОБ(51СМА1 templ, 51СМА1 temp4, (ret)) ) 


/* 
* (SHA512 ROTR( 1,word) ^ SHA512 ROTR( 8,word) ^ SHA512 SHR( 7,word)) 
*/ 
static uint32 t sigma0_temp1[2], sigma0 temp2[2], 
Sigma0 temp3[2], sigma0 temp4[2]; 
#define SHA512 sigmaO0 (word, ret) ( 
5НА512 ROTR( 1, (word), sigma0 templ), 
HA512 БОТБ( 8, (word), sigma0 temp2), 
A512 SHR( 7, (word), sigma0 temp3), 
A512 XOR(sigma0 temp2, sigma0 temp3, sigma0 temp4), 
A512 XOR(sigma0 templ, sigma0 temp4, (ret)) ) 


UM V UM ж 


S 
S 
S 
S 


/* 
х (SHA512 ROTR(19,word) ^ SHA512 ROTR(61,word) ^ SHA512 SHR( 6,word)) 
х/ 

static uint32 t sigmal_temp1[2], sigmal temp2[2], 

Sigmal temp3[2], sigmal temp4[2]; 


#define SHA512 sigmal(word, ret) ( N 
SHA512 ROTR(19, (word), sigmal templ), N 
SHA512 ROTR(61, (word), sigmal temp2), N 
SHA512 SHR( 6, (word), sigmal temp3), N 
SHA512 XOR(sigmal temp2, sigmal temp3, sigmal temp4), N 
SHA512 XOR(sigmal templ, sigmal temp4, (ret)) ) 

#ifndef USE MODIFIED MACROS 

/* 

* These definitions are the ones used in FIPS 180-3, section 4.1.3 
*  Ch(x,y,z) ((х в y) ^ (x в z)) 
ЫГ 
static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2]; 
#define SHA_Ch(x, y, z, ret) ( \ 
SHA512 AND(x, y, Ch templ), N 
SHA512 TILDA(x, Ch temp2), N 
SHA512 AND(Ch temp2, z, Ch temp3), N 
5НА512 XOR(Ch templ1, Ch temp3, (ret)) ) 
/* 
* Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ (Cy) &(2))) 
*/ 

static uint32 t Maj_temp1[2], Maj temp2[2], 
Maj temp3[2], Maj temp4[2]; 

#define SHA Maj(x, y, z, ret) ( N 
SHA512 AND(x, y, Maj templ), N 
SHA512 AND(x, z, Maj temp2), N 
SHA512 AND(y, z, Maj temp3), N 
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SHA512 XOR(Maj temp2, Maj temp3, Maj temp4), N 
SHA512 XOR(Maj templ, Maj temp4, (ret)) ) 
felse /* !USE MODIFIED MACROS */ 
/ж 
* These definitions are potentially faster equivalents for the ones 
* used in FIPS 180-3, section 4.1.3. 


* ((x & y) ^ (x & z)) becomes 
5 ((х & (у ^ z)) ^ 2) 
*/ 

#define SHA Ch(x, y, z, ret) ( N 
(ret) [0] = (((x) [0] & ((y) I0] ^ (2) [01)) ^ (2) (01), \ 
(ret) [1] = (((x) 111 & ((y) [1] ^ (z) [11)) ^ (2)111) ) 

/* 

* ((х & y) ^ (x в 2) ^ (у & z)) becomes 
ж, ((х& (у |z) | (у & 20) 
*/ 

#define SHA_Maj(x, у, z, ret) ( \ 
ret[0] = (((x) [0] & ((y) [0] | (z) [01)) | ((y) [0] & (z) [01)), \ 
ret[1] = (((x) [1] & ((y) [1] | (2) 111)) | ((y) [1] & (z) I11)) ) 


#endif /* USE_MODIFIED_MACROS */ 


/* 
* Add "length" to the length. 
* Set Corrupted when overflow has occurred. 
а 
static uint32 t addTemp[4] = (0, 0, 0, 0 ); 
#define SHA384_512AddLength(context, length) ( 


\ 
addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \ 
(context) —->Corrupted = (((context)-»Length[3] < (length)) && N 

((context)-»Length[2] == 0) && ((context)-»Length[1] == 0) && \ 
((context)-»Length[0] == 0)) ? shaInputTooLong \ 


(context) ->Corrupted ) 


/* Local Function Prototypes */ 
static int SHA384_512Reset (SHA512Context *context, 
uint32_t HO[SHA512HashSize/4]); 

static void SHA384_512ProcessMessageBlock (SHA512Context *context) ; 
static void SHA384 512Finalize(SHA512Context *context, 

uint8_t Pad_Byte); 
static void SHA384 512PadMessage(SHA512Context *context, 

uint8 t Pad Byte); 
static int SHA384 512ResultN( SHA512Context *context, 

uint8 t Message Digest[ ], int HashSize); 


/* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 
static uint32 t SHA384 HO[SHA512HashSize/4] = { 
OxCBBB9D5D, 0хС1059ЕР8, 0x629A292A, 0x367CD507, 0x9159015A, 
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0x3070DD17, 0x152FECD8, 0хЕ70Е5939, 0x67332667, OxFFCOO0B31, 
0х8ЕВ44А87, 0х68581511, OxDBOC2E0D, 0х64Е98ЕА7, 0x47B5481D, 
OxBEFA4FA4 


у; 

static uint32 t SHA512 HO[SHA512HashSize/4] = { 
0х6А09Е667, OxF3BCC908, OxBB67AE85, 0х84САА73В, 0х3С6ЕЕЗ372, 
OxFE94F82B, OxA5AFF53A, Ox5F1D36F1, 0х510Е527Е, OxADE682D1, 
0x9B05688C, 0х2В3Е6С1Е, Ox1F83D9AB, OxFB41BD6B, Ox5BEOCD19, 
0x137E2179 

у; 


фе1ѕе /* !USE 32BIT ONLY */ 
#include "sha-private.h" 


/* Define the SHA shift, rotate left and rotate right macros */ 

#define SHA512 SHR(bits,word) (((uint64 t) (word)) >> (bits)) 

#define SHA512 ROTR(bits,word) ((((uint64 t) (word)) >> (bits)) | \ 
(((uint64_t) (word)) << (64-(bits)))) 


/* 
* Define the SHA SIGMA and sigma macros 
* 
Жж 5НА512 ROTR(28,word) ^ 5НА512 ROTR(34,word) ^ SHA512 ROTR(39,word) 
*/ 
#define SHA512 SIGMAO (word) N 
(SHA512 ROTR(28,word) ^ 5НА512 ROTR(34,word) ^ SHA512 ROTR(39,word)) 
#define SHA512 51СМА1 (word) N 
(SHA512 ROTR(14,word) ^ SHA512 ROTR(18,word) ^ 5НА512 ROTR(41,word)) 


#define SHA512 sigma0 (word) N 
(SHA512 ROTR( 1,word) ^ 5НА512 ROTR( 8,word) ^ SHA512 SHR( 7,word)) 
#define SHA512 sigmal (word) N 


(SHA512 ROTR(19,word) ^ SHA512 ROTR(61,word) ^ SHA512 SHR( 6,word)) 


/* 
* Add "length" to the length. 
* Set Corrupted when overflow has occurred. 
ж? 

static uint64_t addTemp; 

#define SHA384_512AddLength (context, length) 

(addTemp = context-»Length Low, context-»Corrupted = 
((context-»Length Low += length) < addTemp) && 
(++context—>Length_High == 0) ? shaInputTooLong 

(context)-»Corrupted) 


ou uu 


/* Local Function Prototypes */ 
static int SHA384 512Reset(SHA512Context *context, 
uint64 t HO[SHA512HashSize/8]); 
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static void SHA384_512ProcessMessageBlock (SHA512Context *context) ; 
static void SHA384 512Finalize(SHA512Context *context, 
uint8_t Pad_Byte); 
static void SHA384 512PadMessage(SHA512Context *context, 
uint8_t Pad_Byte); 
static int SHA384 512ResultN(SHA512Context *context, 
uint8 t Message Digest[ ], int HashSize); 


/* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */ 
static uint64 t SHA384 HO[ ] = ( 
OxCBBB9D5DC1059ED811, 0x629A292A367CD50711, 0x9159015A3070DD1711, 
0Ox152FECD8F70E593911, 0х67332667ЕЕС00В3111, 0х8ЕВ44А876858151111, 
OxDBOC2E0D64F98FA711, 0x47B5481DBEFA4FA411 


у; 

static uint64 t SHA512 НОГ 1 = { 
0х6А09Е667ЕЗВСС90811, OxBB67AE8584CAA73Bl11, 0х3С6ЕЕЗ72ҒЕ94Е82В11, 
OxA5AFF53A5F1D36F111, 0x510E527FADE682D111, 0х9В05688С2ВЗЕ6СІРІ1, 
OxlF83D9ABFB41BD6Bl11, 0х5ВЕ0Ср19137Е217911 


у; 


#endif /* USE 32BIT ONLY */ 


ч 


+ + X ож Xo ж ж ж ж ж ж ж ж ж OF 


SHA384Reset 


Description: 
This function will initialize the SHA384Context in preparation 
for computing a new SHA384 message digest. 


Parameters: 
context: [in/out] 
The context to reset. 


Returns: 
sha Error Code. 


/ 
int SHA384Reset(SHA384Context *context) 


{ 
return SHA384_512Reset (context, SHA384 H0); 
} 


SHA384Input 


Description: 
This function accepts an array of octets as the next portion 
of the message. 


+ + + ж ж ж 
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Parameters: 

context: [in/out] 
The SHA context to update. 

message_array[ ]: [in] 
An array of octets representing the next portion of 
the message. 

length: [in] 
The length of the message in message_array. 


Returns: 
sha Error Code. 


+ + + X ож ж ж ж ж ж ж ж o X 


/ 
int SHA384Input (SHA384Context *context, 
const uint8_t *message_array, unsigned int length) 
{ 
return SHA512Input (context, message array, length); 


} 


SHA384FinalBits 


Description: 
This function will add in any final bits of the message. 


Parameters: 

context: [in/out] 
The SHA context to update. 

message_bits: [in] 
The final bits of the message, in the upper portion of the 
byte. (Use Ob###00000 instead of 0b00000444 to input the 
three bits ###.) 

length: [in] 
The number of bits in message_bits, between 1 and 7. 


Returns: 
sha Error Code. 


+ + x X + ж ж ж ж ж ж ж ж ж ж ж ж ж 


ж 


ж/ 
int SHA384FinalBits (SHA384Context *context, 
uint8_t message_bits, unsigned int length) 


{ 
return SHA512FinalBits (context, message_bits, length); 
} 


/* 
* SHA384Result 
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* 

* Description: 

2 This function will return the 384-bit message digest 
* into the Message_Digest array provided by the caller. 
* NOTE: 

X The first octet of hash is stored in the element with index 0, 
* the last octet of hash in the element with index 47. 
* 

* Parameters: 

* context: [in/out] 

В The context to use to calculate the SHA hash. 

Ж Message Digest[ 1: [out] 

* Where the digest is returned. 

* 

* Returns: 

* sha Error Code. 

* 

х/ 


int SHA384Result (SHA384Context *context, 
uint8 t Message Digest[SHA384HashSize]) 
{ 
return SHA384 512ResultN(context, Message Digest, SHA384HashSize) ; 
} 


М. 


+ ж ЖЖЖ + X X Xo ж Xo Ro ж ox ж 


SHA512Reset 


Description: 
This function will initialize the SHA512Context in preparation 
for computing a new SHA512 message digest. 


Parameters: 
context: [in/out] 
The context to reset. 


Returns: 
sha Error Code. 


/ 

int SHA512Reset (SHA512Context *context) 

{ 

return SHA384_512Reset (context, SHA512 H0); 


} 


/* 
* SHA512Input 


* 


* Description: 
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This function accepts an array of octets as the next portion 
of the message. 


Parameters: 

context: [in/out] 
The SHA context to update. 

message_array[ ]: [in] 
An array of octets representing the next portion of 
the message. 

length: [in] 
The length of the message in message_array. 


Returns: 
sha Error Code. 


+ + + X ж ж ж ж ж ж ж ж ж X 


ж 


А 
int SHA512Input (SHA512Context *context, 
const uint8_t *message_array, 
unsigned int length) 


if (!context) return shaNull; 

if (!length) return shaSuccess; 

if (!message array) return shaNull; 
( 
( 


if (context-»Computed) return context-»Corrupted = shaStateError; 
if (context-»Corrupted) return context-»Corrupteg; 
while (length--) { 


context-»Message Block[context-»Message Block Іпаех++] = 
*message array; 


if ((SHA384 512AddLength(context, 8) == shaSuccess) && 
(context-»Message Block Index == SHA512 Message Block Size)) 
SHA384 512ProcessMessageBlock (context); 


message аггау++; 


} 

return context-—>Corrupted; 
} 
SHA512FinalBits 


Description: 
This function will add in any final bits of the message. 


Parameters: 
context: [in/out] 


+ + + ж ж ж ж ж 
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The SHA context to update. 

message_bits: [in] 
The final bits of the message, in the upper portion of the 
byte. (Use Ob###00000 instead of 0b00000444 to input the 
three bits ###.) 

length: [in] 
The number of bits in message_bits, between 1 and 7. 


Returns: 
sha Error Code. 


+ + + + ж ж ж ж ж o X 


/ 
int SHA512FinalBits (SHA512Context *context, 
uint8_t message_bits, unsigned int length) 
{ 
static uint8_t masks[8] = { 
/* 0 0500000000 */ 0x00, /* 
/* 2 0b11000000 */ 0OxCO, /* 
/* 4 0b11110000 */ OxFO, /* 
/* 6 0b11111100 */ OxFC, /* 


0010000000 */ 0x80, 
0011100000 */ OxEO, 
0011111000 */ OxF8, 
0011111110 */ OxFE 


чоло н 


у; 

static uint8_t markbit[8] = { 
/* 0 0610000000 */ 0x80, /* 
/* 2 0500100000 */ 0x20, /* 
/* 4 0600001000 */ 0x08, /* 
/* 6 0600000010 */ 0x02, /* 


0501000000 */ 0x40, 
0500010000 */ 0x10, 
0000000100 */ 0x04, 
0000000001 */ 0x01 


чоло H 


17 


if (!context) return shaNull; 

if (!length) return shaSuccess; 

if (context-»Corrupted) return context-»Corrupteg; 

if (context-»Computed) return context-»Corrupted = shaStateError; 
if (length >= 8) return context-»Corrupted = shaBadParam; 


SHA384 512AddLength(context, length); 
SHA384 512Finalize(context, (uint8 t) 
((message bits & masks[length]) | markbit[length])); 


return context-»Corruptegd; 


/* 
* SHA512Result 

* 

* Description: 

* This function will return the 512-bit message digest 
* into the Message Digest array provided by the caller. 
* 


NOTE: 
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Ж The first octet of hash is stored in the element with index 0, 
* the last octet of hash in the element with index 63. 
* 

* Parameters: 

* context: [in/out] 

* The context to use to calculate the SHA hash. 

* Message Digest[ ]: [out] 

* Where the digest is returned. 

* 

* Returns: 

Ж sha Error Code. 

* 

х/ 


int SHA512Result (SHA512Context *context, 
uint8 t Message Digest[SHA512HashSize]) 
{ 
return 5НА384 512ResultN(context, Message Digest, SHA512HashSize); 
} 


SHA384_512Reset 


Description: 
This helper function will initialize the SHA512Context in 
preparation for computing a new SHA384 or SHA512 message 
digest. 


Parameters: 
context: [in/out] 
The context to reset. 
HO[ ]: [in] 
The initial hash value array to use. 


Returns: 
sha Error Code. 


+ + ож + + ж ж ж ж ж ж ж ж ж ж ж ж ж 


/ 

#ifdef USE_32BIT_ONLY 

static int SHA384_512Reset (SHA512Context *context, 
uint32 t HO[SHA512HashSize/4]) 

felse /* !USE 32BIT ONLY */ 

static int SHA384 512Reset(SHA512Context *context, 
uint64 t HO[SHA512HashSize/8]) 

#endif /* USE 32BIT ONLY */ 

{ 

int i; 

if (!context) return shaNull; 
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context-»Message Block Index = 0; 


#ifdef USE 32BIT. ONLY 
context-»Length[0] = context-»Length[1] 
context-»Length[2] = context-»Length[3] = 0; 


for (i = 0; і < SHA512HashSize/4; i++) 
context-»Intermediate Hash[i] = HO[il; 
#else /* !USE 32BIT ONLY */ 
context-»Length High = context-»Length Low = 0; 


for (i = 0; і < SHA512HashSize/8; i++) 
context-»Intermediate Hash[i] = HO[i]; 
#endif /* USE 32BIT ONLY */ 


context-»Computed = 0; 
context-»Corrupted = shaSuccess; 


return shaSuccess; 


SHA384_512ProcessMessageBlock 


Description: 
This helper function will process the next 1024 bits of the 
message stored in the Message_Block array. 


Parameters: 
context: [in/out] 
The SHA context to update. 


Returns: 
Nothing. 


Comments: 
Many of the variable names in this code, especially the 
single character names, were used because those were the 
names used in the Secure Hash Standard. 


+ + X ож ож ж ж ж ж ж ж ж ж ж ж ж ж ж ж 


ж 


ЖА 
static void SHA384_512ProcessMessageBlock (SHA512Context *context) 
{ 
#ifdef USE_32BIT_ONLY 
/* Constants defined in FIPS 180-3, section 4.2.3 */ 
static const uint32_t K[80*2] = { 
0x428A2F98, 0xD728AE22, 0х71374491, Ox23EF65CD, 0хВ5СОЕВСЕ, 
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OxEC4D3B2F, OxE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0хЕЗ48В538, 
0х59Е111Е1, OxB605D019, 0х923Е82А4, OxAF194F9B, OxABICBEDS5, 
OxDA6D8118, OxD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE, 
0x243185BE, 0х4ЕЕ4В28С, 0х550С70С3, OxD5FFB4E2, Ox72BE5D74, 
OxF27B896F, Ox80DEBIFE, 0х3В1696В1, Ox9BDCO6A7, 0x25C71235, 
OxC19BF174, OxCF692694, 0хЕ49В69С1, Ox9EF14AD2, 0хЕЕВЕ4786, 
0x384F25E3, 0х0ЕС19рС6, Ox8B8CD5B5, 0х240СА1СС, 0х77АС9С65, 
Ox2DE92C6F, 0x592B0275, 0х4А7484АА, 0х6ЕА6Е483, Ox5CBOA9DC, 
OxBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, OxEE66DFAB, 
0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, OxBF597FC7, 
OxBEEFOEE4, OxC6EOO0BF3, Ox3DA88FC2, 0хр5А79147, 0x930AA725, 
0x06CA6351, 0хЕ003826Е, 0x14292967, 0х0А0Е6Е70, 0x27B70A85, 
0x46D22FFC, 0х2Е1В2138, 0x5C26C926, Ox4D2C6DFC, Ox5AC42AED, 
0x53380D13, Ox9D95B3DF, 0х650А7354, Ox8BAF63DE, 0х766АОАВВ, 
0x3C77B2A8, 0x81C2C92E, Ox47EDAEE6, 0x92722C85, 0x1482353B, 
OxA2BFE8A1, 0х4СЕ10364, 0хА81А664В, 0хВС423001, 0xC24B8B70, 
0хр0Е89791, OxC76C51A3, 0x0654BE30, 0х0192Е819, OxD6EF5218, 
0xD6990624, 0x5565A910, 0хЕ40Е3585, 0х5771202А, 0х106АА070, 
Ox32BBD1B8, 0х19А4С116, OxB8D2D0C8, 0х1Е376С08, 0x5141AB53, 
0х2748774С, OxDF8EEB99, 0х34ВОВСВ5, OxE19B48A8, 0х391С0СВ3, 
0xC5C95A63, Ox4ED8AA4A, OxE3418ACB, 0х5В9ССА4Е, 0х7763Е373, 
0x682E6FF3, OxD6B2B8A3, 0х748Е82ЕЕ, Ox5DEFB2FC, 0x78A5636F, 
0x43172F60, 0x84C87814, OxA1F0AB72, 0х8СС70208, 0х1А6439ЕС, 
Ox90BEFFFA, 0x23631E28, 0хА4506СЕВ, OxDE82BDE9, OxBEF9A3F7, 
0xB2C67915, 0xC67178F2, 0xE372532B, 0хСА273ЕСЕ, OxEA26619C, 
OxD186B8C7, 0x21C0C207, OxEADA7DD6, OxCDEOEBIE, OxF57D4F7F, 
OxEE6ED178, 0х06ЕО067АА, 0x72176FBA, 0x0A637DC5, 0xA2C898A6, 
0x113F9804, OxBEF90DAE, 0х1В710В35, 0х131С471В, 0x28DB77F5, 
0x23047D84, 0x32CAAB7B, 0x40C72493, 0х3С9ЕВЕОА, 0х15С9ВЕВС, 
0x431D67C4, 0x9C100DA4C, 0х4СС504ВЕ, OxCB3E42B6, 0x597F299C, 
OxFC657E2A, Ox5FCB6FAB, Ox3AD6FAEC, 0x6C44198C, 0х4А475817 


у; 


int t, t2, t8; /* Loop counter */ 

uint32 t templ[2], temp2[2], /* Temporary word values */ 
temp3[2], temp4[2], temp5[2]; 

uint32 t W[2*80]; /* Word sequence */ 


uint32 t A[2], B[2], C[2], D[2], /* Word buffers */ 
E[2], F[2], G[2], H[2]; 


/* Initialize the first 16 words in the array W */ 
for (t = t2 t8 = 0; t < 16; t++, t8 += 8) { 


W[t2++] = ((((uint32 t)context-»Message Block[t8 102. << 24) | 
((((uint32 t)context-»Message Block[t8 + 1])) << 16) | 
((((uint32 t)context-»Message Block[t8 + 2])) << 8) | 
((C(uint32 t)context-»Message Block[t8 + 31))); 

W[t2++] = ((((uint32 t)context-»Message Block[t8 + 4])) << 24) 
((((uint32 t)context-»Message Block[t8 + 5])) << 16) 
(((C(uint32 t)context-»Message Block[t8 + 6])) << 8) | 
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((C(uint32 t)context-»Message Block[t8 + 71))); 


for (t = 16; t < 80; tt++, t2 += 2) { 


} 


/* W[t] = SHA512 sigmal(W[t-2]) + W[t-7] + 
SHA512_sigma0 (W[t-15]) + W[t-16]; */ 

uint32 t *Wt2 = &W[t2-2*2]; 

uint32 t *Wt7 = &W[t2-7*2]; 

uint32 t *Wt15 &W[t2-15*2]; 

uint32 t *Wt16 = &W[t2-16*2]; 

SHA512 sigmal(Wt2, templ); 

SHA512 ADD(templ, Wt7, temp2); 

SHA512 sigma0 (Wt15, templ); 

SHA512 ADD(templ, Wt16, temp3); 

5НА512 ADD(temp2, temp3, &W[t2]); 


A[0] = context-»Intermediate Hash[0]; 
A[1] = context-»Intermediate Hash[1]; 
B[0] = context-»Intermediate Hash[2]; 
B[1] = context-»Intermediate Hash[3]; 
C[0] = context-»Intermediate Hash[4]; 
C[1] = context-»Intermediate Hash[5]; 
D[0] = context-»Intermediate Hash[6]; 
D[1] = context-»Intermediate Hash[7]; 
Е[0] = context-»Intermediate Hash[8]; 
Е[1] = context-»Intermediate Hash[9]; 
F[0] = context-»Intermediate Hash[10]; 
F[1] = context-»Intermediate Hash[11]; 
G[0] = context-»Intermediate Hash[12]; 
G[1] = context-»Intermediate Hash[13]; 
H[0] = context-»Intermediate Hash[14]; 
H[1] = context-»Intermediate Hash[15]; 


for (t = t2 = 0; t < 80; tt++, t2 += 2) | 


х templ = H + 5НА512 5ІСМА1(Е) + ЗНА Ch(E,F,G) + K[t] 


SHA512_SIGMA1 (E, temp1) ; 

SHA512 ADD(H, templ, temp2); 

ЗНА Ch (E,F,G,temp3); 

SHA512 ADD(temp2, temp3, temp4); 


5НА512 ADD(SK[t2], &W[t2], temp5); 
SHA512 ADD(temp4, temp5, templ); 
/* 


* temp2 = 5НА512 SIGMAO(A) + ЗНА Мај (А,В,С); 
*/ 
SHA512_SIGMAO (А, temp3) ; 
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SHA_Maj(A,B,C,temp4) ; 
SHA512_ADD(temp3, temp4, temp2); 
H[0] = G[0]; H[1] = GI1]; 

G[0] F[0]; G[1] = Е[1]; 

Е[0] = E[0]; FI1] = Е[1]; 

5НА512 ADD(D, templ, E); 

D[O] = C[0]; DI1] = CI1]; 

C[0] = В[0]; CI1] = BI1]; 

B[0] = A[0]; В[1] = А[1]; 

SHA512 ADD(templ, temp2, A); 


-- 


SHA512 ADDTO2(&context-»Intermediate Hash[0], А); 
SHA512 ADDTO2(&context-»Intermediate Hash[2], B); 
SHA512 ADDTO2(&context-»Intermediate Hash[4], C); 
SHA512 ADDTO2(&context-»Intermediate Hash[6], D); 
SHA512 ADDTO2(&context-»Intermediate Hash[8], E); 
SHA512 ADDTO2(&context-»Intermediate Hash[10], F); 
SHA512 ADDTO2(&context-»Intermediate Hash[12], С); 
SHA512 ADDTO2(&context-»Intermediate Hash[14], H); 


#else /* !USE 32BIT ONLY */ 
/* Constants defined in FIPS 180-3, section 4.2.3 */ 
static const uint64 t K[80] = ( 
0x428A2F98D728AE2211, 0x7137449123EF65CD11, ОхВ5СОЕВСЕЕСАрЗВ2Ғ11, 
0хЕ9В50ВА58189рВВС11, 0x3956C25BF348B53811, 0x59F111F1B605D01911, 
0х923Е82А4АЕ194Е9В11, OxABIC5ED5DA6D811811, 0xD807AA98A303024211, 
0х12835В0145706ЕВЕ11, 0х243185ВЕ4ЕЕ4В28С11, 0x550C7DC3D5FFBA4E211, 
Ox72BE5D74F27B896F11, Ox80DEBIFE3B1696B111, 0x9BDC06A725C7123511, 
0хС19ВЕ174СЕ69269411, OxE49B69C19EF14AD211, OxEFBE4786384F25E311, 
OxOFC19DC68B8CD5B511, 0х240СА1СС77АС9С6511, Ox2DE92C6F592B027511, 
0х4А7484АА6ЕА6Е48311, OxS5CBOAIDCBD41FBD411, 0x76F988DA831153B511, 
0х983Е5152ЕЕ66ГЕАВ11, 0xA831C66D2DB4321011, 0хВО0327С898ЕВ213Е11, 
0хВЕ5Б97ЕС7ВЕЕЕОЕЕ411, 0хС6ЕО00ВЕЗЗГА88ЕС211, 0xD5A79147930AA72511, 
0х06СА6351Е003826Е11, 0x142929670A0E6E7011, 0х27В70А8546022ҒЕС11, 
0х2Е1В21385С26С92611, Ox4D2C6DFC5AC42AED11, 0x53380D139D95B3DFll, 
0x650A73548BAF63DEl11, 0x766A0ABB3C77B2A811, 0х81С2С92Е47ЕПАЕЕ611, 
0x92722C851482353Bl11, OxA2BFE8A14CF1036411, 0xA81A664BBC42300111, 
OxC24B8B70D0F8979111, 0xC76C51A30654BE3011, OxD192E819D6EF521811, 
0xD69906245565A91011, 0хЕ40Е35855771202А11, 0x106AA07032BBD1B811, 
0х19А4С116В8р200С811, Ox1E376C085141AB5311, 0x2748774CDF8EEB9911, 
0х34В0ВСВ5Е19В48А811, 0х391С0СВ3С5С95А6311, Ox4ED8AA4AE3418ACB11, 
0х589ССА4Е7763Е37311, Ox682E6FF3D6B2B8A311, 0х748Е82ЕЕОПЕЕВ2ЕС11, 
0x78A5636F43172F6011, 0x84C87814A1F0AB7211, 0х8СС702081А6439ЕС11, 
Ox90BEFFFA23631E2811, OxA4506CEBDE82BDE911, OxBEF9A3F7B2C6791511, 
0хС67178Е2Е372532811, 0хСА273ЕСЕЕА26619С11, OxD186B8C721C0C20711, 
OxEADA7DD6CDEOEBIEl11, OxF57D4F7FEE6ED17811, 0х06Е067АА72176ЕВА11, 
0x0A637DC5A2C898A611, 0х113Е9804ВЕЕ90ГАЕ11, 0x1B710B35131C471B11, 


I 
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0x28DB77F523047D8411, 0x32CAAB7B40C7249311, 0х3С9ЕВЕОА15С9ВЕВС11, 
0x431D67C49C100DA4Cll, 0х4СС5р4ВЕСВЗЕ42В611, 0х597Е299СЕС657Е2А11, 
Ox5FCB6FAB3ADGFAECll, 0x6C44198C4A47581711 

у; 


int t, t8; /* Loop counter */ 
uint64 t templ, temp2; /* Temporary word value */ 
uint64 t W[80]; /* Word sequence */ 


uint64 t A, B, C, D, E, F, G, H; /* Word buffers */ 


/* 
* Initialize the first 16 words in the array W 
х/ 
for (t = t8 = 0; t < 16; t++, t8 += 8) 
W[t] = ((uint64_t) (context->Message_Block[t8 ]) << 56) | 
((uint64 t) (context-»Message Block[t8 + 11) << 48) | 
((uint64 t) (context-»Message Block[t8 + 21) << 40) 
((uint64 t) (context-»Message Block[t8 + 31) << 32) 
((uint64 t) (context-»Message Block[t8 + 41) << 24) | 
((uint64 t) (context-»Message Block[t8 + 5]) << 16) | 
((uint64 t) (context-»Message Block[t8 + 6]) << 8) | 
((uint64 t) (context-»Message Block[t8 + 7])); 


for (t = 16; t < 80; +++) 
W[t] = 5НА512 sigmal(W[t-2]) + W[t-7] + 
SHA512 sigma0 (W[t-15]) + W[t-16]; 


= context-»Intermediate Hash[0]; 
= context-»Intermediate Hash[1]; 
= context-»Intermediate Hash[2]; 

context-»Intermediate Hash[3]; 


= context-»Intermediate Hash[4]; 
= context-»Intermediate Hash[5]; 
= context-»Intermediate Hash[6]; 
= context-»Intermediate Hash[7]; 


шон ОО Ш> 
ll 


for (t = 0; t < 80; ttt) ( 
templ = Н + 5НА512 51СМА1(Е) + SHA Ch(E,F,G) + K[t] + W[t]; 
temp2 = SHA512 SIGMAO(A) + SHA Мај (А,В,С); 
= G; 


000080 Ч (уыш 
ll 
Q 


= templ + temp2; 
} 


context-»Intermediate Hash[0] += A; 
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context-»Intermediate Hash[1] += 
context-»Intermediate Hash[2] += 
context-»Intermediate Hash[3] += 
context-»Intermediate Hash[4] += 
context-»Intermediate Hash[5] += 
context-»Intermediate Hash[6] += 
context-»Intermediate Hash[7] += 
#endif /* USE 32BIT ONLY */ 


M ч, 


PL 


-. 


-. 


T ці fd ph t c0 19 


-. 


context-»Message Block Index = 0; 
} 
/* 
* SHA384 512Finalize 
* 
* Description: 
* This helper function finishes off the digest calculations. 
* 
* Parameters: 
* context: [in/out] 
* The SHA context to update. 
Е Pad Byte: [in] 
K The last byte to add to the message block before the 0-padding 
й and length. This will contain the last bits of the message 
2 followed by another single bit. If the message was ап 
* exact multiple of 8-bits long, Pad Byte will be 0x80. 
* 
* Returns: 
* sha Error Code. 
* 
*/ 


static void SHA384_512Finalize(SHA512Context *context, 
uint8_t Pad_Byte) 
{ 
int_least16_t i; 
SHA384_512PadMessage (context, Pad Byte); 
/* message may be sensitive, clear it out */ 
for (1 = 0; i < SHA512 Message Block Size; ++i) 


context-»Message Block[i] = 0; 
#ifdef USE 32BIT ONLY /* and clear length * 
context-»Length[0] = context-»Length[1] = 0; 
context-»Length[2] = context-»Length[3] = 0; 


фе1ѕе /* !USE 32BIT ONLY */ 

context-»Length High = context-»Length Low = 0; 
fendif /* USE 32BIT ONLY */ 

context-»Computed = 1; 


} 
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SHA384_512PadMessage 


Description: 
According to the standard, the message must be padded to the next 
even multiple of 1024 bits. The first padding bit must be a "1". 
The last 128 bits represent the length of the original message. 
All bits in between should be 0. This helper function will 
pad the message according to those rules by filling the 
Message_Block array accordingly. When it returns, it can be 
assumed that the message digest has been computed. 


Parameters: 

context: [in/out] 
The context to pad. 

Pad_Byte: [in] 
The last byte to add to the message block before the 0-padding 
and length. This will contain the last bits of the message 
followed by another single bit. If the message was an 
exact multiple of 8-bits long, Pad Byte will be 0x80. 


Returns: 
Nothing. 


+ + + + ж ж ж ж ж ж ж ж ж ж ж ж ЖЖЖ Ro X Xo X 


ж 


kj 
static void SHA384 512PadMessage(SHA512Context *context, 
uint8 t Pad Byte) 
{ 


* Check to see if the current message block is too small to hold 

* the initial padding bits and length. If so, we will pad the 

* block, process it, and then continue padding into a second 

* block. 

%2. 

if (context-»Message Block Index >= (SHA512_Message_Block_Size-16)) ( 

context-»Message Block[context-»Message Block Іпаех++] = Pad Byte; 

while (context-»Message Block Index < SHA512 Message Block Size) 
context-»Message Block[context-»Message Block Іпаех++] = 0; 


SHA384 512ProcessMessageBlock (context); 
) else 
context-»Message Block[context-»Message Block Index-**] = Pad Byte; 


while (context-»Message Block Index < (SHA512 Message Block Size-160)) 
context-»Message Block[context-»Message Block Іпаех++] = 0; 


/* 
* Store the message length as the last 16 octets 
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Af 
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#ifdef USE 32BIT. ONLY 
context-»Message Block[112] 
context-»Message Block[113] 
context-»Message Block[114] 
context-»Message Block[115] 


#else /* 


context-»Message Block[116] 
context-»Message Block[117] 
context-»Message Block[118] 
context-»Message Block[119] 


context-»Message Block[120] 
context-»Message Block[121] 
context-»Message Block[122] 
context-»Message Block[123] 
context-»Message Block[124] 
context-»Message Block[125] 
context-»Message Block[126] 
context-»Message Block[127] 
!USE 32BIT ONLY */ 

context-»Message Block[112] 
context-»Message Block[113] 
context-»Message Block[114] 
context-»Message Block[115] 
context-»Message Block[116] 
context-»Message Block[117] 
context-»Message Block[118] 
context-»Message Block[119] 


context-»Message Block[120] 
context-»Message Block[121] 
context-»Message Block[122] 
context-»Message Block[123] 
context-»Message Block[124] 
context-»Message Block[125] 
context-»Message Block[126] 
context-»Message Block[127] 


#endif /* USE 32BIT ONLY */ 


} 


* + + ж ж ж 


SHA384_512ProcessMessageBlock (context) ; 


SHA384_512ResultN 


Description: 


HMAC-SHAs, 


(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
(uint8 t 
uint8 t 
uint8 t 
uint8 t 
uint8 t 
uint8 t 
uint8 t 
uint8 t 


( 
( 
( 
( 
( 
( 
( 
(uint8 t 


) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 


) 
) 
) 
) 
) 
) 
) 
) 


and HKDF 


(context-»Length[0] 
(context-»Length[0] 
(context-»Length[0] 
(context-»Length[0]); 
(context-»Length[1] 
(context-»Length[1] 
(context-»Length[1] 
(context-»Length[1]); 
context-»Length[2] 
context-»Length[2] 
context-»Length[2] 
context-»Length[2]); 
context-»Length[3] 
context-»Length[3] 
context-»Length[3] > 
context-»Length[3]); 


——————— 


context-»Length Н 
context-»Length Н 
context-»Length Н 
context-»Length Н 
context-»Length Н 
context-»Length Н 
context-»Length Н 
context-»Length Н 


igh 
igh 
igh 
igh 
igh 
igh 
igh 


( 
( 
( 
( 
( 
( 
( 
( igh 


context-»Length Low 
context-»Length Low 
context-»Length Low 
context-»Length Low 
context-»Length Low 
context-»Length Low 
context-»Length Low 
context-»Length Low) 


———————— 


May 2011 


> 


>> 
); 


>> 
>> 
>> 
>> 
>> 
>> 
>> 


, 


This helper function will return the 384-bit or 512-bit message 
digest into the Message Digest array provided by the caller. 
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* — NOTE: 

* The first octet of hash is stored in the element with index 0, 
№ the last octet of hash іп the element with index 47/63. 
* 

* Parameters: 

* context: [in/out] 

* The context to use to calculate the SHA hash. 

* Message_Digest[ ]: [out] 

* Where the digest is returned. 

Ж HashSize: [in] 

* The size of the hash, either 48 or 64. 

* 

* Returns: 

* sha Error Code. 

* 

х/ 


static int SHA384 512ResultN(SHA512Context *context, 
uint8 t Message Digest[ ], int HashSize) 
{ 
int i; 
#ifdef USE_32BIT_ONLY 
int i2; 
#endif /* USE_32BIT_ONLY */ 


if (!context) return shaNull; 
if (!Message Digest) return shaNull; 
if (context-»Corrupted) return context-»Corrupteg; 


if (!context-»Computed) 
SHA384 512Finalize(context, 0x80); 


#ifdef USE 32BIT. ONLY 
for (i = i2 = 0; i « HashSize; ) { 

Message_Digest [it+t+]=(uint8_t) (context-»Intermediate Hash[i2]»»24); 
Message_Digest [it+t+]=(uint8_t) (context-»Intermediate Hash[i2]»»16) 
Message_Digest [it+t+]=(uint8_t) (context-—>Intermediate_Hash[i2]>>8); 
Message_Digest [it+t+]=(uint8_t) (context—>Intermediate_Hash[i2++]); 
Message_Digest [it+t+]=(uint8_t) (context-»Intermediate Hash[i2]»»24); 

( ) 
( 
( 


, 


Message Digest[i--*]-(uint8 t) (context-»Intermediate На5п І121»»16); 
context-»Intermediate Наѕһ [12]>>8) ; 


context-»Intermediate Назв [12++]) ; 


Message_Digest [i++]=(uint8_t 
Message Digest[i-*]-(uint8 t 


) 
) 
) 
) 
) 
) 
) 
) 


——————— 


) 
#else /* !USE 32BIT ONLY */ 


for (i = 0; i « HashSize; ++i) 
Message Digest[i] = (uint8 t) 
(context->Intermediate_Hash[i>>3] >> 8 Х (7- (i 5 8 ) )); 


#endif /* USE 32BIT ONLY */ 
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return shaSuccess; 


} 
8.2.4.  usha.c 


[KKK KKK KKK KK KKK KK KK KKK KK ke ke ЖК К К usha.c KOKCkCkCk ck kck ck KK KK KK KK ke Ж / 


d See RFC 6234 for details. ХХХ К / 
/* Copyright (с) 2011 IETF Trust and the persons identified as */ 


/* authors of the code. All rights reserved. х / 

/* See sha.h for terms of use and redistribution. Жу 

/* 

* Description: 

іі This file implements а unified interface to the SHA algorithms. 
Зу 


#include "sha.h" 


/ 
USHAReset 


Description: 
This function will initialize the SHA Context in preparation 
for computing a new SHA message digest. 


Parameters: 
context: [in/out] 
The context to reset. 
whichSha: [in] 
Selects which SHA reset to call 


Returns: 
sha Error Code. 


+ + + + ж ж ж ж ж ж ж ж ж X X X X 


/ 

int USHAReset (USHAContext *context, enum SHAversion whichSha) 

{ 

if (!context) return shaNull; 

context-»whichSha = whichSha; 

switch (whichSha) { 
case 5НА1: return SHAlReset((SHAlContext*)&context-»ctx); 
case SHA224: return SHA224Reset ((SHA224Context*) &context—>ctx) ; 
case SHA256: return SHA256Reset ((SHA256Context*) &context—>ctx) ; 
case SHA384: return SHA384Reset ( (SHA384Context*) &сопіехі->сіх) 
case SHA512: return SHA512Reset((SHA512Context*)&context-»ctx) 
default: return shaBadParam; 


Ld 


Ғғ 
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USHAInput 
Description: 
of the message. 
Parameters: 
context: [in/out] 
The SHA context 
message_array: [in] 
the message. 


length: [in] 


Returns: 
sha Error Code. 


+ + ox ож + ж ж ж ж ж ж o ж ж ж ж ж ж ж 


/ 


to update. 


The length of the message in message_array. 


int USHAInput (USHAContext *context, 
*bytes, unsigned int bytecount) 


const uint8 t 


{ 


if (!context) return shaNull; 


switch (context-»whichSha) 
case 5НА1: 


return SHAlInput ((SHAlContext*)&context-»ctx, 
bytecount); 


case SHA224: 


return SHA224Input ((SH 


bytecount); 
case SHA256: 


return SHA256Input ( (SH 


bytecount); 
case SHA384: 


return SHA384Input ( (SH 


bytecount); 
case SHA512: 


return SHA512Input ( (SH 


bytecount); 


{ 


A224Context*)&context-»ctx, 


A256Context*)&context-»ctx, 


A384Context*)&context-»ctx, 


A512Context*)&context-»ctx, 


default: return shaBadParam; 


Eastlake & Hansen 
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An array of octets representing the next portion of 


bytes, 


bytes, 


bytes, 


bytes, 


bytes, 
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This function accepts an array of octets as the next portion 
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/* 

* USHAFinalBits 

* 

* Description: 

Е This function will ааа іп any final bits of the message. 

* 

* Parameters: 

* context: [in/out] 

* The SHA context to update. 

* message bits: [in] 

* The final bits of the message, in the upper portion of the 
* byte. (Use Ob###00000 instead of 0b00000444 to input the 
* three bits ###.) 

7, length: [in] 

* The number of bits in message_bits, between 1 and 7. 

* 

* Returns: 

* sha Error Code. 

* 


/ 
int USHAFinalBits (USHAContext *context, 
uint8 t bits, unsigned int bit count) 

{ 

if (!context) return shaNull; 

switch (context-»whichSha) { 

case 5НА1: 
return SHAlFinalBits((SHAlContext*)&context-»ctx, bits, 

bit count); 
case SHA224: 

return SHA224FinalBits((SHA224Context*)&context-»ctx, bits, 
bit count); 
case SHA256: 

return SHA256FinalBits((SHA256Context*)&context-»ctx, bits, 
bit count); 
case SHA384: 

return SHA384FinalBits((SHA384Context*)&context-»ctx, bits, 
bit count); 
case SHA512: 

return SHA512FinalBits((SHA512Context*)&context-»ctx, bits, 

bit count); 

default: return shaBadParam; 
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USHAResult 


Description: 


Parameters: 
context: [in/out] 
The context to use 
Message_Digest: [out] 


Returns: 
sha Error Code. 


+ + + + + ж ж ж ж ж ж ж ж ж ж ж ж F OF 


/ 


to calculate the SHA-1 hash. 


Where the digest is returned. 


int USHAResult (USHAContext *context, 
uint8 t Message Digest[USHAMaxHashSize]) 


( 


if (!context) return shaNull; 
switch (context-»whichSha) { 


case 5НА1: 


return SHAlResult((SHAlContext*)&context-»ctx, 


case SHA224: 
return SHA224Result( 


case SHA256: 
return SHA256Result( 


case SHA384: 
return SHA384Result( 


case SHA512: 
return SHA512Result ( 


(SHA224Context*)&context-»ctx, 
Message Digest); 


(SHA256Context*)&context-»ctx, 
Message Digest); 


(SHA384Context*)&context-»ctx, 
Message Digest); 


(SHA512Context*)&context-»ctx, 
Message Digest); 


default: return shaBadParam; 


USHABlockSize 


Description: 


+ + + ж ж ж 


algorithm. 
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This function will return the message digest of the appropriate 
bit size, as returned by USHAHashSizeBits (whichSHA) 
'whichSHA' value used in the preceeding call to USHAReset, 
into the Message_Digest array provided by the caller. 


for the 


Message_Digest) ; 


This function will return the blocksize for the given SHA 
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Parameters: 
whichSha: 


Returns: 
block size 


+ ж ож ж ж ж ж 


ж 


ж/ 
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which SHA algorithm to query 


int USHABlockSize(enum SHAversion whichSha) 


{ 
switch (whichSh 

case 5НА1: 
case SHA224: 
case SHA256: 
case SHA384: 
default: 

case SHA512: 


USHAHashSize 


Description: 
This functio 
algorithm. 


Parameters: 


whichSha: 


Returns: 
hash size 


+ + + + ж ж ж ж ж ж ж ж ж ж X 


/ 


а) { 
return 
return 
return 
return 


return 


n will 


5НА1 Message Block Size; 

SHA224 Message Block Size; 
SHA256 Message Block Size; 
SHA384 Message Block Size; 


SHA512 Message Block Size; 


return the hashsize for the given SHA 


which SHA algorithm to query 


int USHAHashSize(enum SHAversion whichSha) 


{ 
switch (whichSh 

case 5НА1: 
case SHA224: 
case SHA256: 
case SHA384: 
default: 

case SHA512: 


Eastlake & Hansen 


a) { 
return 
return 
return 
return 


return 


SHAlHashSize; 

SHA224HashSize; 
SHA256HashSize; 
SHA384HashSize; 


SHA512HashSize; 
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USHAHashSizeBi 


Description: 


Parameters: 
whichSha: 


Returns: 
hash size in 


+ ж X ж ж + X X X X Xo Xo xoxo ж 


/ 


ts 


bits 
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This function will return the hashsize for the given SHA 
algorithm, expressed in bits. 


which SHA algorithm to query 


int USHAHashSizeBits (enum SHAversion whichSha) 


{ 
switch (whichSh 

case 5НА1: 
case SHA224: 
case SHA256: 
case SHA384: 
default: 

case SHA512: 


USHAHashName 

Description: 
This functio 
as a string. 

Parameters: 


whichSha: 


Returns: 


+ + + + ж ж ж ж ж ж ж ж ж ж ж 


/ 


const char *USHAHashName (enum SHAversion whichSha) 


{ 
switch (whichSh 
case 5НА1: 
case SHA224: 
case SHA256: 


Eastlake & Hansen 


a) { 
return 
return 
return 
return 


return 


n will 


a) 4 
return 
return 
return 


SHAlHashSizeBits; 

SHA224HashSizeBits; 
SHA256HashSizeBits; 
SHA384HashSizeBits; 


SHA512HashSizeBits; 


May 2011 


return the name of the given SHA algorithm 


which SHA algorithm to query 


character string with the name in it 


"ЅНА1"; 
"SHA224"; 
"SHA256"; 
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case SHA384: return "SHA384"; 
default: 
case SHA512: return "SHA512"; 


} 


8.3. Тһе HMAC Code 


[KKK KKK KKK KK KKK KKK KKK KKK KK KKK hmac с KOR KK ck kck ck kck ck KK KK KK ke ke e k kx / 


d See RFC 6234 for details. KOK KK ck ck ck ck kok К / 
/* Copyright (c) 2011 IETF Trust and the persons identified as */ 


/* authors of the code. All rights reserved. */ 
/* See sha.h for terms of use and redistribution. */ 
/* 
* Description: 
* This file implements the HMAC algorithm (Keyed-Hashing for 
Е Message Authentication, [RFC 2104]), expressed in terms of 
Ж the various SHA algorithms. 
* 


/ 
#include "sha.h" 


/ 


hmac 


Description: 
This function will compute an HMAC message digest. 


Parameters: 
whichSha: [in] 
One of SHA1, SHA224, SHA256, SHA384, SHA512 
message array[ ]: [in] 
An array of octets representing the message. 
Note: in RFC 2104, this parameter is known 
as 'text'. 
length: [in] 
The length of the message in message array. 
key[ ]: [in] 
The secret shared key. 
key len: [in] 
The length of the secret shared key. 
digest[ ]: [out] 
Where the digest is to be returned. 
NOTE: The length of the digest is determined by 
the value of whichSha. 
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Returns: 
sha Error Code. 


int hmac(SHAversion whichSha, 
const unsigned char *message_array, int length, 
const unsigned char *key, int key_len, 
uint8 t digest [USHAMaxHashSize] ) 


HMACContext context; 

return hmacReset(&context, whichSha, key, key len) || 
hmacInput(&context, message array, length) || 
hmacResult(&context, digest); 


hmacReset 


Description: 
This function will initialize the hmacContext in preparation 
for computing a new HMAC message digest. 


Parameters: 
context: [in/out] 
The context to reset. 
whichSha: [in] 
One of 5НА1, 5НА224, 5НА256, SHA384, SHA512 
key[ ]: [in] 
The secret shared key. 
key len: [in] 


The length of the secret shared key. 


sha Error Code. 


+ + + + + ж ж ж ж ж ж ж ж ж ж ж ж ж ж ж X 


int hmacReset (HMACContext *context, enum SHAversion whichSha, 
const unsigned char *key, int key_len) 


{ 


int i, blocksize, hashsize, ret; 


/* inner padding - key XORd with ipad */ 
unsigned char k ipad[USHA Max Message Block Size]; 


/* temporary buffer when keylen » blocksize */ 
unsigned char tempkey[USHAMaxHashSize]; 
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if (!context) return shaNull; 
context-»Computed = 0; 
context-»Corrupted = shaSuccess; 


blocksize = context->blockSize = USHABlockSize (whichSha) ; 
hashsize = context->hashSize = USHAHashSize (whichSha); 
context-»whichSha = whichSha; 


/* 
* If key is longer than the hash blocksize, 
* reset it to key = HASH(key). 
*/ 
if (key len > blocksize) { 
USHAContext tcontext; 
int err = USHAReset(&tcontext, whichSha) | | 
USHAInput(&tcontext, key, key len) | | 
USHAResult (&tcontext, tempkey) ; 
if (err != shaSuccess) return err; 


key = tempkey; 
key_len = hashsize; 


/* 
* The HMAC transform looks like: 

* 

* SHA(K XOR opad, SHA(K XOR ipad, text)) 

* 

* where K is an n byte key, O-padded to a total of blocksize bytes, 
* ipad is the byte 0x36 repeated blocksize times, 

* opad is the byte 0х5с repeated blocksize times, 

* and text is the data being protected. 

* 


/ 


/* store key into the pads, XOR'd with ipad and opad values */ 
for (i = 0; i < key len; i++) 4 
k_ipad[i] = key[i] * 0x36; 
context-»5k opad[i] = key[i] ^ 0x5c; 
} 
/* remaining pad bytes are 'N0' XOR'd with ipad and opad values */ 
for (; i < blocksize; i++) 4 
k_ipad[i] = 0x36; 
context-»5k opad[i] = 0х5с; 
} 


/* perform inner hash */ 
/* init context for lst pass */ 
ret = USHAReset(&context-»shaContext, whichSha) | | 


Eastlake & Hansen Informational [Page 81] 


RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 


/* and start with inner pad */ 
USHAInput (&context-»shaContext, К ipad, blocksize); 
return context-»Corrupted = ret; 


} 


/* 
хо hmacInput 

* 

* Description: 

* This function accepts an array of octets as the next portion 
* of the message. It may be called multiple times. 

* 

* Parameters: 

* context: [in/out] 

* The HMAC context to update. 

* text[ ]: [in] 

* An array of octets representing the next portion of 

* the message. 

X text_len: [in] 

Е The length of the message in text. 

* 

* Returns: 

Ж sha Error Code. 

* 

* 


/ 
int hmacInput (HMACContext *context, const unsigned char *text, 
int text len) 

{ 
if (!context) return shaNull; 
if (context-»Corrupted) return context-»Corrupteg; 
if (context-»Computed) return context-»Corrupted = shaStateError; 
/* then text of datagram */ 
return context-»Corrupted = 

USHAInput(&context-»shaContext, text, text len); 


hmacFinalBits 


Description: 
This function will add in any final bits of the message. 


Parameters: 
context: [in/out] 
The HMAC context to update. 
message bits: [in] 
The final bits of the message, in the upper portion of the 
byte. (Use Ob###00000 instead of 0500000444 to input the 
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three bits ###.) 
length: [in] 
The number of bits in message_bits, between 1 and 7. 


Returns: 
sha Error Code. 


+ + ож ж ож ж ж 


/ 
int hmacFinalBits (HMACContext *context, 
uint8 t bits, unsigned int bit count) 

( 
if (!context) return shaNull; 
if (context-»Corrupted) return context-»Corrupteg; 
if (context-»Computed) return context-»Corrupted = shaStateError; 
/* then final bits of datagram */ 
return context-»Corrupted = 

USHAFinalBits(&context-»shaContext, bits, bit count); 


/* 
* hmacResult 

* 

* Description: 

Ж This function will return the N-byte message digest into the 

Е Message_Digest array provided by the caller. 

* 

* Parameters: 

* context: [in/out] 

X The context to use to calculate the HMAC hash. 

* digest[ ]: [out] 

* Where the digest is returned. 

25 NOTE 2: The length of the hash is determined by the value of 
* whichSha that was passed to hmacReset(). 

* 

* Returns: 

Ж sha Error Code. 

* 

* 


/ 

int hmacResult (HMACContext *context, uint8 t *digest) 

{ 

int ret; 

if (!context) return shaNull; 

if (context-»Corrupted) return context-»Corrupteg; 

if (context-»Computed) return context-»Corrupted = shaStateError; 


/* finish up 1st pass */ 
/* (Use digest here as a temporary buffer.) */ 
ret = 

USHAResult(&context-»shaContext, digest) || 
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/* perform outer SHA */ 
/* init context for 2nd pass */ 
USHAReset (&context->shaContext, context-»whichSha) | | 


/* start with outer pad */ 
USHAInput (&context-—>shaContext, сопїехї-»К opad, 
context-»blockSize) | | 


/* then results of 1st hash */ 

USHAInput (&context—>shaContext, digest, context-»hashSize) | | 
/* finish up 2nd pass */ 

USHAResult (&context-»shaContext, digest); 


context-»Computed = 1; 
return context-»Corrupted = ret; 


} 
8.4. The HKDF Code 


[KKK KKK KKK KK KKK KK KK KKK KK KK KKK hkdf.c KOK KK ck kck ck kck ck ck ck ck ck К / 


d See RFC 6234 for details. KOK KKK kck ck kck К / 
/* Copyright (c) 2011 IETF Trust and the persons identified as */ 


/* authors of the code. All rights reserved. */ 
/* бее sha.h for terms of use and redistribution. */ 
/* 

* Description: 


ж 


This file implements the HKDF algorithm (HMAC-based 
Extract-and-Expand Key Derivation Function, RFC 5869), 
expressed in terms of the various SHA algorithms. 


ж ж 


*/ 


#include "sha.h" 
#include <string.h> 
#include <stdlib.h> 


/* 
* hkdf 

* 

* Description: 

* This function will generate keying material using HKDF. 
* 

* Parameters: 

* whichSha: [in] 

Ж One of 5НА1, SHA224, 5НА256, SHA384, 5НА512 

* salti T [in] 

Ж Тһе optional salt value (а non-secret random value); 
Е if not provided (salt == NULL), it is set internally 
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int 


to a string of HashLen(whichSha) zeros. 


salt_len: [in] 
The length of the salt value. (Ignored if salt == NULL.) 
ikm[ ]: [in] 
Input keying material. 
ikm_len: [in] 
The length of the input keying material. 
info[ ]: [in] 
The optional context and application specific information. 
If info -- NULL or a zero-length string, it is ignored. 
info len: [in] 
The length of the optional context and application specific 
information. (Ignored if info == NULL.) 
okm[ 1: [out] 
Where the HKDF is to be stored. 
okm len: [in] 


The length of the buffer to hold okm. 
окт len must be <= 255 * USHABlockSize (whichSha) 


Notes: 
Calls hkdfExtract() and hkdfExpand(). 


Returns: 
sha Error Code. 


hkdf (SHAversion whichSha, 

const unsigned char *salt, int salt len, 
const unsigned char *ikm, int ikm len, 
const unsigned char *info, int info len, 
uint8 t okm[ ], int okm len) 


uint8 t prk[USHAMaxHashSize]; 
return hkdfExtract(whichSha, salt, salt len, ikm, ikm len, prk) | | 


+ + + + ж ж ж ж ж ж 


hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, 
info_len, okm, okm_len); 


hkdfExtract 


Description: 
This function will perform HKDF extraction. 


Parameters: 
whichSha: [in] 
One of 5НА1, 5НА224, 5НА256, SHA384, SHA512 
salt[ ]: [in] 
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The optional salt value (a non-secret random value); 
if not provided (salt == NULL), it is set internally 
to a string of HashLen(whichSha) zeros. 
salt_len: [in] 
The length of the salt value. (Ignored if salt == NULL.) 
ikm[ ]: [in] 
Input keying material. 
ikm len: [in] 
The length of the input keying material. 
prk[ 1: [out] 


+ + + + ж ж ж ж ж ж ж ж ж ж ж X ж 


int 


Array where the HKDF extraction is to be stored. 


Must be larger than USHAHashSize (whichSha) ; 


Returns: 
sha Error Code. 


hkdfExtract(SHAversion whichSha, 

const unsigned char *salt, int salt len, 
const unsigned char *ikm, int ikm len, 
uint8 t prk[USHAMaxHashSize]) 


unsigned char nullSalt[USHAMaxHashSize]; 


if 


} 


} 


return hmac(whichSha, ikm, ikm len, salt, salt len, prk); 


(salt == 0) { 
salt = nullSalt; 
salt len = USHAHashSize (whichSha); 
memset (nullSalt, 'N0', salt len); 
else if (salt len < 0) { 
return shaBadParam; 


/* 
хо  hkdfExpand 
* 
* Description: 
2 This function will perform HKDF expansion. 
* 
* Parameters: 
Ж whichSha: [іп] 
Е One of SHA1, SHA224, SHA256, SHA384, SHA512 
T prk[ 1: [in] 
Ж The pseudo-random key to be expanded; either obtained 
* directly from a cryptographically strong, uniformly 
* distributed pseudo-random number generator, or as the 
* output from hkdfExtract(). 
Ж prk_len: [in] 
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The length of the pseudo-random key in prk; 
should at least be equal to USHAHashSize (whichSHA). 
info[ 1: [in] 
The optional context and application specific information. 
If info == NULL or a zero-length string, it is ignored. 
info len: [in] 
The length of the optional context and application specific 
information. (Ignored if info -- NULL.) 
okm[ ]: [out] 
Where the HKDF is to be stored. 
okm len: [in] 
The length of the buffer to hold okm. 
окт len must be <= 255 * USHABlockSize (whichSha) 


Returns: 
sha Error Code. 


+ + + + + ж ж ж ж ж ж ж ж Ro ж ж ж ж 


/ 

int hkdfExpand(SHAversion whichSha, const uint8_t prk[ 1, int prk_len, 
const unsigned char *info, int info_len, 

uint8_t okm[ ], int okm_len) 


int hash_len, N; 
unsigned char T[USHAMaxHashSize]; 
int Tlen, where, i; 


if (info == 0) { 
info = (const unsigned char *)""; 
info_len = 0; 


} else if (info_len < 0) { 
return shaBadParam; 
} 
if (okm_len <= 0) return shaBadParam; 
if (!okm) return shaBadParam; 


hash len = USHAHashSize (whichSha) ; 

if (prk_len < hash_len) return shaBadParam; 
N = okm_len / hash_len; 

if ((okm len 5 hash len) != 0) N++; 

if (N > 255) return shaBadParam; 


Tlen = 0; 
where = 0; 
for (i = 1; i <= М; itt) { 
HMACContext context; 
unsigned char c = i; 
int ret = hmacReset (&context, whichSha, prk, prk len) || 
hmacInput (context, T, Tlen) || 
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hmacInput(&context, info, 
hmacInput (&écontext, «с, 1) | | 
hmacResult(&context, T); 


if (ret shaSuccess) 

memcpy (окш + where, T, 
(i != М) ? hash len 

where += hash len; 

Tlen hash len; 


return ret; 


(okm len - 


} 


return shaSuccess; 


hkdfReset 


Description: 


arbitrary length inputs. 


Parameters: 

context: [in/out] 
The context to reset. 

whichSha: [in] 
One of 5НА1, 

salt[ ]: [in] 
The optional salt value 
if not provided (salt 


SHA224, SHA256, 


NULL), 


salt len: [in] 
The length of the salt value. 


Returns: 
sha Error Code. 


+ + + + + ж ж ж ж ж ж ж ж ж ж ж ж ж ж ж ж ж Xo ж 


М. 


int hkdfReset (HKDFContext *context, 
const unsigned char *salt, 
{ 
unsigned char nullSalt[USHAMaxHashSize]; 
if (!context) return shaNull; 
context-»whichSha = whichSha; 
context-^»hashSize 


if (salt == 0) { 
salt = nullSalt; 
salt len = context-»^hashSize; 
memset (nullSalt, ’\0’, salt len); 
Eastlake & Hansen Informational 
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info_len) 


SHA384, 


to a string of HashLen (whichSha) 


May 2011 


where) ); 


This function will initialize the hkdfContext in preparation 
for key derivation using the modular HKDF interface for 


SHA512 


(a non-secret random value); 


it is set internally 
zeros. 


(Ignored if salt == NULL.) 


enum SHAversion whichSha, 
int salt_len) 


USHAHashSize (whichSha) ; 
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} 


return hmacReset(&context-»hmacContext, whichSha, salt, salt len); 


/* 
*  hkdfInput 

* 

* Description: 

* This function accepts an array of octets as the next portion 

Е of the input keying material. It may be called multiple times. 
* 

* Parameters: 

* context: [in/out] 

* The HKDF context to update. 

ni ikm[ ]: [in] 

* An array of octets representing the next portion of 

Е the input keying material. 

X ikm_len: [in] 

Е The length of ikm. 

* 

* Returns: 

Ж sha Error Code. 

* 

* 


/ 
int hkdfInput (HKDFContext *context, const unsigned char *ikm, 
int ikm len) 
{ 
if (!context) return shaNull; 
if (context-»Corrupted) return context-»Corrupteg; 
if (context-»Computed) return context-»Corrupted = shaStateError; 
return hmacInput(&context-»hmacContext, ikm, ikm len); 


/* 

* hkdfFinalBits 

* 

* Description: 

* This function will add in any final bits of the 

Ж input keying material. 

* 

* Parameters: 

* context: [in/out] 

* The HKDF context to update 

* ikm_bits: [in] 

* The final bits of the input keying material, in the upper 
* portion of the byte. (Use Ob###00000 instead of 05000004141 
* 


to input the three bits ###.) 
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ж ikm_bit_count: [in] 

* The number of bits in message_bits, between 1 and 7. 
* 

* Returns: 

* sha Error Code. 

*/ 


int hkdfFinalBits (HKDFContext *context, uint8 t ikm bits, 
unsigned int ikm bit count) 
{ 
if (!context) return shaNull; 
if (context-»Corrupted) return context-—>Corrupted; 


May 2011 


if (context-»Computed) return context-»Corrupted = shaStateError; 
return hmacFinalBits(&context-»hmacContext, ikm bits, ikm bit count); 


hkdfResult 
Description: 
final HKDF expansion. 


Parameters: 
context: [in/out] 
The HKDF context to use to calculate the HKDF hash. 
prk[ 1: [out] 
An optional location to store the HKDF extraction. 
Either NULL, or pointer to a buffer that must be 
larger than USHAHashSize (whichSha); 


The length of the buffer to hold okm. 
окт len must be <= 255 * USHABlockSize (whichSha) 


Returns: 
sha Error Code. 


+ ж ож Ж ож ож ж ж ж ж ж ж FF ж ж ж ж ж ж ж ж ж Xo ж Xo Xo Xo ж ж 


/ 

int hkdfResult (HKDFContext *context, 

uint8_t prk[USHAMaxHashSize], 

const unsigned char *info, int info_len, 
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This function will finish the HKDF extraction and perform the 


info[ 1: [in] 
The optional context and application specific information. 
If info == NULL or a zero-length string, it is ignored. 
info len: [in] 
The length of the optional context and application specific 
information. (Ignored if info -- NULL.) 
okm[ 1: [out] 
Where the HKDF is to be stored. 
okm len: [in] 
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uint8_t okm[ ], int okm_len) 


uint8 t prkbuf[USHAMaxHashSize]; 
int ret; 


if (!context) return shaNull; 

if (context-»Corrupted) return context-—>Corrupted; 

if (context-»Computed) return context-»Corrupted = shaStateError; 
( 
( 


if (!okm) return context-»Corrupted = shaBadParam; 
if (!prk) prk = prkbuf; 
ret = hmacResult (&context-»hmacContext, prk) || 


hkdfExpand(context-»whichSha, prk, context-»hashSize, info, 
info len, okm, okm len); 
context-»Computed = 1; 
return context-»Corrupted = ret; 


8.5. The Test Driver 


The following code is a main program test driver to exercise the code 
in shal.c, sha224-256.c, sha384-512.c, hmac.c, and hkdf.c. The test 
driver can also be used as a standalone program for generating the 
hashes. Note that the tests assume that character values are as in 
[US-ASCII] and a run time check warns if the code appears to have 
been compiled with some other character system. 


See also [SHAVS]. 


Ld shatest с KOR KKK kck ck kck ck KK KK KK KK KKK / 


[RKKKKKKK KKK KKK KKK See RFC 6234 for details. KOK KK KK KK KK KK KK KK / 
/* Copyright (c) 2011 IETF Trust and the persons identified as */ 
/* authors of the code. All rights reserved. */ 
/* See sha.h for terms of use and redistribution. i 


/ 
Description: 
This file will exercise the SHA code performing 
the three tests documented in FIPS PUB 180-3 
(http://csrc.nist.gov/publications/fips/ 
fips180-2/fips180-2withchangenotice.pdf) 
one that calls SHAInput with an exact multiple of 512 bits 
the seven tests documented for each algorithm in 
"The Secure Hash Algorithm Validation System (SHAVS)" 
(http://csrc.nist.gov/cryptval/shs/SHAVS.pdf), 
three of which are bit-level tests 


+ + + + ж ж ж ж ж ж ж X 


Eastlake & Hansen Informational [Page 91] 


RFC 6234 


Th 


Th 


Th 
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Port 
No 
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/ 


#include 
#include 
#include 
#include 
#include 
#include 
#include 


static i 


/ж 
ж Defi 
х/ 

#define 

#define 


#define 
#define 


#define 
#define 
#define 
#define 

/* a 
#define 
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ese tests have subsequently been moved to pages linked from 
http://csrc.nist.gov/groups/ST/toolkit/examples.html 


is file will exercise the HMAC 5НА1 code performing 
the seven tests documented in RFCs [RFC 2202] and [RFC 4231]. 


is file will exercise the HKDF code performing 
the seven tests documented in RFC 4869. 


run the tests and just see PASSED/FAILED, use the -p option. 


her options exercise: 

hashing an arbitrary string 
hashing a file's contents 

a few error test checks 

printing the results in raw format 


ability Issues: 
ne. 


«stdint.h» 

<stdio.h> 

<stdlib.h> 

<string.h> 

<ctype.h> 

<unistd.h> /* defines getopt() and optarg */ 
"sha.h" 


nt scasecmp(const char *51, const char *s2); 


ne patterns for testing 
TESTI "abc" 
TEST2 1 \ 


"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" 
TEST2 2a N 
"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn" 
TEST2 2b N 
"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqgrstnopqrstu" 
TEST2 2 ТЕ5Т2 2a TEST2 2b 


TEST3 "a" /* times 1000000 */ 
TEST4a "01234567012345670123456701234567" 

TEST4b "01234567012345670123456701234567" 

n exact multiple of 512 bits */ 

TEST4 TEST4a TEST4b /* times 10 */ 
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#define TEST7_1 \ 
"\x49\xb2\xae\xc2\x59\x4b\xbe\x3a\x3b\x11\x75\x42\xd9\x4a\xc8" 

#define TEST8_1 \ 
"\x9a\x7d\xfd\xf1l\xec\xea\xd0\x6e\xd6\x46\xaa\x55\xfe\x75\x71\x46" 

#define TEST9 1 \ 
"\x65\xf£9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4\xa2\xe7\xla\xe7\x02\x20" 
"\xaa\xce\xc8\x96\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea\xaa\x10" 
"\xle\xa5\xaa\xbc\x52\x9b\x4e\x7e\x43\x66\x5a\x5a\xf£2\xcd\x03\xfe" 
"\x67\x8e\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2\x8b\x91\x09\xf4" 
"\x69\xda\xc9\x2a\xaa\xb3\xaa\x7c\x11\xal\xb3\x2a" 

#define TEST10_1 \ 

"\ x£7\x8£\x92\x14\x1b\xcd\x17\x0a\xe8\x9b\x4£\xba\x15\xal\xd5\x9f" 
"\x3£\xd8\x4d\x22\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e\xd1\x15" 
"\xa0\x6a\x7c\xel\x17\xb7\xbe\xea\xd2\x44\x21\xde\xd9\xc3\x25\x92" 
"\ xbd\x57\xed\xea\xe3\x9c\x39\xfa\xlf\xe8\x94\x6a\x84\xd0\xcf\x1lf" 
"\x7b\xee\xad\x17\x13\xe2\xe0\x95\x98\x97\x34\x7£\x67\xc8\x0b\x04" 
"\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83\x6f\xd5\x56\x2a\x56\xca" 
"\xb1\xa2\x8e\x81\xb6\x57\x66\x54\x63\x1lc\xf1\x65\x66\xb8\x6e\x3b" 
"\x33\xal\x08\xb0\x53\x07\xc0O\x0a\xf£\x14\xa7\x68\xed\x73\x50\x60" 
"\x6a\x0£\x85\xe6\xa9\x1d\x39\x6f£\x5b\x5c\xbe\x57\x7£\x9b\x38\x80" 
"\x7C\x7d\x52\x3d\x6d\x79\x2£\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27" 
"\xcd\xbb\xfb" 

#define TEST7_224 \ 
"\xf0\x70\x06\x£2\x5a\x0b\xea\x68\xcd\x76\xa2\x95\x87\xc2\x8d" 

#define ТЕЅТ8 224 М 
"\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f£\x9d\x93\xdf\x62" 

#define TEST9 224 \ 
"\xa2\xbe\x6e\x46\x32\x81\x09\x02\x94\xd9\xce\x94\x82\x65\x69\x42" 
"\x3a\x3a\x30\x5e\xd5\xe2\x11\x6c\xd4\xa4\xc9\x87\xfc\x06\x57\x00" 
"\x64\x91\xb1\x49\xcc\xd4\xb5\x11\x30\xac\x62\xb1\x9d\xc2\x48\xc7" 
"\x44\x54\x3d\x20\xcd\x39\x52\xdc\xed\x1l£\x06\xcc\x3b\x18\xb9\x1lf" 
"\x3£\x55\x63\x3e\xcc\x30\x85\x£4\x90\x70\x60\xd2" 

#define TEST10_224 \ 
"\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" 
"\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" 
"\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" 
"\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" 
"\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3£\x41\x6£\x£3\x2c\x66\x74" 
"\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5£\x48\xee\x47" 
"\x0d\x39\x6c\xle\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" 
"\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" 
"\xaf\x0d\xcl\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" 
"\x26\x9£\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" 
"\x87\x82\x73" 

#define TEST7_256 \ 

"\ xbe\x27\x46\xc6\xdb\x52\x76\x5£\xdb\x2£\x88\x70\x0£\x9a\x73" 

#define TEST8 256 \ 

"\ xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3\x88\x7a\xb2\xcd\x68\x46\x52" 
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#define TEST9 256 \ 
"\x3e\x74\x03\x71\xc8\x10\xc2\xb9\x9f\xc0\x4e\x80\x49\x07\xef\x7c" 
"\xf2\x6b\xe2\x8b\x57\xcb\x58\xa3\xe2\xf£3\xc0\x07\x16\x6e\x49\xcl" 
"\x2e\x9b\xa3\x4c\x01\x04\x06\x91\x29\xea\x76\x15\x64\x25\x45\x70" 
"\x3a\x2b\xd9\x01\xel\x6e\xb0\xe0\x5d\xeb\xa0\x14\xeb\xff£\x64\x06" 
"\xa0\x7d\x54\x36\x4e\xf£\x74\x2d\xa7\x79\xb0\xb3" 

#define TEST10_256 \ 
"\x83\x26\x75\x4e\x22\xK77\x37\x2£\x4£\xcl\x2b\x20\x52\x7a\xfe\xf0" 
"\x4d\x8a\x05\x69\x71\xb1\xla\xd5\x71\x23\xa7\xc1\x37\x76\x00\x00" 
"\xd7\xbe\xf6\xf3\xcl1\xf£7\xa9\x08\x3a\xa3\x9d\x81\x0d\xb3\x10\x77" 
"\x7d\xab\x8b\xle\x7£\x02\xb8\x4a\x26\xc7\x73\x32\x5£\x8b\x23\x74" 
"\xde\x7a\x4b\x5a\x58\xcb\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b" 
"\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65\x92\xec\xed\xaa\x66\xca" 
"\x82\xa2\x9d\x0c\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4\xc0\xa4" 
"\x3£\x8d\x79\xa3\x0a\x16\x5c\xba\xbe\x45\x2b\x77\x4b\x9c\x71\x09" 
"\ xa9\x7d0\x13\x8f£\x12\x92\x28\x96\x6f\x6c\x0a\xdc\x10\x6a\xad\x5a" 
"\x9f\xdd\x30\x82\x57\x69\xb2\xc6\x71\xaf\x67\x59\xd£\x28\xeb\x39" 
"\x3d\x54\xd6" 

#define TEST7_384 \ 
"\x8b\xc5\x00\xc7\x7c\xee\xd9\x87\x9d\xa9\x89\x10\x7c\xe0\xaa" 

#define TEST8 384 М 
"\ xa4\x1lc\x49\x77\x79\xc0\x37\x5£\xf1\x0a\x7£\x4e\x08\x59\x17\x39" 

#define TEST9 384 \ 
"\x68\xf£5\x01\x79\x2d\xea\x97\x96\x76\x70\xX22\xd9\x3d\xa7\x16\x79" 
"\x30\x99\x20\xfa\x10\x12\xae\xa3\x57\xb2\xb1\x33\x1ld\x40\xal\xd0" 
"\x3c\x41\xc2\x40\xb3\xc9\xa7\x5b\x48\x92\xf4\xc0\x72\x4b\x68\xc8" 
"\x75\x32\xla\xb8\xcf\xe5\x02\x3b\xd3\x75\xbc\x0f\x94\xbd\x89\xfe" 
"\x04\x£2\x97\xK10\x5d\x7b\x82\xff£\xc0\x02\xla\xeb\xlc\xcbh\x67\x4f£" 
"\x52\x44\xea\x34\x97\xde\x26\xa4\x19\x1lco\x5f\x62\xe5\xe9\xa2\xd8" 
"\x08\x2£\x05\x51\xf4\xa5\x30\x68\x26\xe9\x1lc\xc0\x06\xce\xlb\xf6" 
"\xOf\x£7\x19\xd4\x2£\xa5\x21\xc8\x71\xcd\x23\x94\xd9\x6e\xf4\x46" 
"\x8£\x21\x96\x6b\x41\xf2\xba\x80\xc2\x6e\x83\xa9" 

#define TEST10_384 \ 
"\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb\x69\x12\xec\x10\xff\xcf" 
"\x74\x79\x03\x49\xb7\xdc\x8f£\xbe\x4a\x8e\x7b\x3b\x56\x21\xdb\x0f" 
"\x3e\x7d\xc8\x7£\x82\x32\x64\xbb\xe4\x0d\x18\x11\xc9\xea\x20\x61" 
"\xel\xc8\x4a\xd1\x0a\x23\xfa\xcl1\x72\x7e\x72\x02\xfc\x3£\x50\x42" 
"\xe6\xbf£f\x58\xcb\xa8\xa2\x74\x6e\x1l£\x64\xf9\xb9\xea\x35\x2c\x71" 
"\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86\x5£\x25\xcc\x22\xb5\xe8" 
"\x77\x84\xal\x2£\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\xK19\x9a\x2c\xe6" 
"\x56\x5c\xbd\xf1\x3d\xca\x40\x38\x32\xcf\xcb\x0e\x8b\x72\x11\xe8" 
"\x3a\x£3\x2a\x11\xac\x17\x92\x9£\xf1\xc0\x73\xa5\xlc\xc0\x27\xaa" 
"\xed\xef\xf8\x5a\xad\x7c\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a" 
"\x77\x35\x7b\xda\xla\x6d\xae\xed\x17\x15\x1lc\xb9\xbc\x51\x25\xa4" 
"\x22\xe9\x41\xde\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd\xd0\x96" 
"\x76\x71\xlc\xf3\xdb\x0a\x34\x40\x72\x0e\x16\x15\xcl1\xf2\x2f£\xbc" 
"\x3c\x72\xl1ld\xe5\x21\xel\xb9\x9b\xal\xbd\x55\x77\x40\x86\x42\x14" 
"\x7e\xd0\x96" 
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#define TEST7_512 \ 
"\x08\xec\xb5\x2e\xba\xel\x£7\x42\x2d\xb6\x2b\xcd\x54\x26\x70" 

#define TEST8_512 \ 
"\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81\x6e\x9d\x98\xbf\xf0\xa0" 

#define TEST9 512 \ 
"\x3a\xdd\xec\x85\x59\x32\x16\xd1\x61\x9a\xa0\x2d\x97\x56\x97\x0b" 
"\xfc\x70\xac\xe2\x74\x4£\x7c\x6b\x27\x88\x15\x10\x28\xf£7\xb6\xa2" 
"\x55\x0£\xd7\x4a\x7e\x6e\x69\xc2\xc9\xb4\x5f£\xc4\x54\x96\x6d\xc3" 
"\x1ld\x2e\x10\xda\x1lf£\x95\xce\x02\xbe\xb4\xbf£\x87\x65\x57\x4c\xbd" 
"\x6e\x83\x37\xef\x42\x0a\xdc\x98\xcl1\x5c\xb6\xd5\xe4\xa0\x24\x1b" 
"\xa0\x04\x6d\x25\x0e\x51\x02\x31\xca\xc2\x04\x6c\x99\x16\x06\xab" 
"\x4e\xe4\x14\x5b\xee\x2£\xf4\xbb\x12\x3a\xab\x49\x8d\x9d\x44\x79" 
"\x4£\x99\xcc\xad\x89\xa9\xal\x62\x12\x59\xed\xa7\x0a\x5b\x6d\xd4" 
"\ xbd\xd8\x77\x78\xc9\x04\x3b\x93\x84\x£5\x49\x06" 

#define TEST10_512 \ 
"\xa5\x5£\x20\xc4\x11\xaa\xd1\x32\x80\x7a\x50\x2d\x65\x82\x4e\x31" 
"\ xa2\x30\x54\x32\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d\xel\xde" 
"\x69\x74\xb£\x49\x54\x69\xfc\x7£\x33\x8£\x80\x54\xd5\x8c\x26\xc4" 
"\x93\x60\xc3\xe8\x7a\xf£5\x65\x23\xac\xf£6\xd8\x9d\x03\xe5\x6£\xf2" 
"\xf8\x68\x00\x2b\xc3\xe4\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3" 
"\ xb2\x43\x58\x6e\xla\x7d\x92\x49\x36\x69\x4f£\xcb\xba\xf8\x8d\x95" 
"\x19\xe4\xeb\x50\xa6\x44\xf£8\xe4\xf9\x5e\xb0\xea\x95\xbc\x44\x65" 
"\xc8\x82\xla\xac\xd2\xfe\x15\xab\x49\x81\x16\x4b\xbb\x6d\xc3\x2f£" 
"\x96\x90\x87\xal\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b\x76\x32\x99\x41" 
"\x9c\xc4\x12\x8b\xe9\xa0\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28" 
"\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13\x2e\x9a\x0d\xc6\xd3\xb1" 
"\xf8\xb2\x46\xf1\xa9\x8a\x3£\xc7\x29\x41\xb1\xe3\xbb\x20\x98\xe8" 
"\ xb£\x16\xf2\x68\xd6\x4£\x0b\x0£\x47\x07\xfe\xle\xal\xal\x79\x1b" 
"\xa2\xf3\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9\x49\xad\x47\xd7" 
"\xfb\x40\xd2" 

#define 5НА1 SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2\x3d" 
"\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d" 

#define SHA224 SEED "\xd0\x56\x9c\xb3\x66\x5a\x8a\x43\xeb\x6e\xa2" х 
"\x3d\x75\xa3\xc4\xd2\x05\x4a\x0d\x7d\x66\xa9\xca\x99\xc9\xce\xb0" \ 
"\х27" 

#define SHA256 SEED "\xf4\xle\xce\x26\x13\xe4\x57\x39\x15\x69\x6b" х 
"\x5a\xdc\xd5\xlc\xa3\x28\xbe\x3b\xf5\x66\xa9\xca\x99\xc9\xce\xb0" \ 
"\x27\x9c\xlc\xb0\xa7" 

#define SHA384 SEED "\x82\x40\xbc\x51\xe4\xec\x7e\x£7\x6d\x18\xe3" х 
"\x52\x04\xal\x9£\x51\xa5\x21\x3a\x73\xa8\xl1ld\x6£\x94\x46\x80\xd3" х 
"\x07\x59\x48\xb7\xe4\x63\x80\x4e\xa3\xd2\x6e\x13\xea\x82\x0d\x65" \ 
"\xa4\x84\xbe\x74\x53" 

#define SHA512 SEED "\x47\x3f£\xf1\xb9\xb3\xff\xdf\xal\x26\x69\x9a" х 
"\хс7\хе#\х9е\х8е\х78\х77\х73\х09\х58\х24\хсб\х42\х55\х7с\х13\х99" 
"\xd9\x8e\x42\x20\x44\x8d\xc3\x5b\x99\xbf\xdd\x44\x77\x95\x43\x92" 
"\x4c\xlc\xe9\x3b\xc5\x94\x15\x38\x89\x5d\xb9\x88\x26\x1lb\x00\x77" 
"\ x4b\x12\x27\x20\x39" 
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#define TESTCOUNT 10 
#define HASHCOUNT 5 
#define RANDOMCOUNT 4 
#define HMACTESTCOUNT 7 
#define HKDFTESTCOUNT 7 


#define PRINTNONE 0 
#define PRINTTEXT 1 
#define PRINTRAW 2 
#define PRINTHEX 3 
#define PRINTBASE64 4 


#define PRINTPASSFAIL 1 
#define PRINTFAIL 2 


#define length(x) (sizeof (х)-1) 


/* Test arrays for hashes. */ 
struct hash { 
const char *name; 
SHAversion whichSha; 
int hashsize; 
struct { 
const char *testarray; 
int length; 
long repeatcount; 
int extrabits; 
int numberExtrabits; 
const char *resultarray; 
р tests [TESTCOUNT]; 
const char *randomtest; 
const char *randomresults [RANDOMCOUNT] ; 
} hashes [HASHCOUNT] = { 
| "5НА1", 5НА1, SHAlHashSize, 
{ 


HKDF 


/* 1 */ ( TESTI, length(TEST1), 1, 0, 0, 
"A9993E364706816ABA3E25717850C26C9CDOD89D" 


/* 2 */ ( TEST2 1, length(TEST2 1), 1, 


0, 0, 


"84983Е441С3Вр26ЕВААЕ4АА1Е95129Е5Е54670Е1" 
/* 3 */ ( TEST3, length(TEST3), 1000000, 0, 
"34AA973CDACADAAAF61EEB2BDBAD27316534016F" 


/* 4 */ ( TESTA, length(TEST4), 10, 0, 


0, 


"DEA356A2CDDD90C7A7ECEDC5EBB563934F460452" 


PR ck po mmy 000, 70х98;, Sy 


"29826B003B906E660EFF4027CE98AF3531AC75BA" 


PR AO Rife "Аже", Tu 35,0, 05 
"SEOF80A34A9798CAFC6A5DBI6CC57BA4C4D 
/* 7 */ (| TEST7 1, length(TEST7_1), 1, 
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"6239781E03729919C01955B3FFA8ACB60B988340" }, 
/* 8 */ { TEST8 1, length(TEST8 1), 1, 0, 0, 
"82ABFF6605DBE1C17DEF12A394FA22A82B544A35" |), 
/* 9 */ ( ТЕ5Т9 1, length(TEST9 1), 1, OxEO, 3, 
"8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4" }, 
/* 10 */ ( TEST10 1, length(TEST10 1), 1, 0, 0, 
"CB0082C8F197D260991BA6A460E76E202BAD27B3" } 

), 5НА1 SEED, ( "E216836819477C7F78E0D843FEA4FF1B6D6C14CD4", 
"A2DBC7A5B1C6COA8BCB7AAA41252A6A7D0690DBC", 
"DB1F9050BB863DFEF4CE37186044E2EEB17EE013", 
"127FDEDF43D372A51D5747CA48FBFFE38EF6CDF 7B" 

} }, 
{ "SHA224", SHA224, SHA224HashSize, 

{ 

/* 1 */ { TESTI, length(TEST1), 1, 0, 0, 
"23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7E36C9DA7" |), 
/* 2 */ { TEST2 1, length(TEST2_1), 1, 0, 0, 
"75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B1952522525" }, 
/* 3 */ ( TEST3, length(TEST3), 1000000, 0, 0, 
"20794655980C91D8BBB4C1EA97 61 8A4BF03F42581948B2EE4EE7AD67" |, 
/* 4 */ ( TEST4, length(TEST4), 10, 0, 0, 
"567F69F168CD7844E65259CE658FE7AADFA25216E68ECAO0EB7AB8262" |), 
J* yy A р ти. 04-0, 0x68, 5, 
"E3B048552C3C387BCAB37F6EB06BB79B96A4A 
/* б */ | "NXx07", 1, 1, 0, 0, 
"00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450BEE2AA8C2A" |), 
/* 7 */ (| TEST7 224, length(TEST7_224), 1, ОхА0, 3, 
"1B01DB6CB4A9E43DED151 6BEB3DB0B87B6D1EA43187462C608137150" }, 
/* 8 */ { TEST8 224, length(TEST8_224), 1, 0, 0, 
"DF 90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC388E56191DB1" }, 
/* 9 */ ( TEST9 224, length(TEST9_224), 1, OxEO, 3, 
"54BEA6GEAB8195A2EB0A7906A4B4A876666300EEFBD1F3B8474F9CD57" |, 
/* 10 */ ( TEST10 224, length(TEST10 224), 1, 0, 0, 
"0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E9F20D5C3A4" ) 

), SHA224 SEED, { "100966A5B4FDE0B42E2A6C5953D4D7F41BA7CF79FD" 
"2DF431416734BE", "1DCA396B0C417715DEFAAE9641E10A2E99D55A" 
"BCB8A00061EB3BE8BD", "1864E627BDB2319973CD5ED7D68DA71D8B" 
"F0F983D8D9AB32C34ADB34", "А2406481ҒСІВСАҒ24рр08Е6752Е844" 
"709563FB916227FED598EB621F" 

} }, 
{ "SHA256", ЅНА256, SHA256HashSize, 
{ 


T 


IESFF27F51531A9551C" }, 


/* 1 */ ( ТЕ5ТІ, length(TEST1), 1, 0, 0, "ВА7816ВЕ8Е01СҒЕА4141" 
"40DE5DAE2223B00361A396177A9CBA10FF61F20015AD" }, 

/* 2 */ ( TEST2 1, length(TEST2_1), 1, 0, 0, "248D6A61D20638B8" 
"E5C026930C3E6039A33CE45964FF2167F6ECEDD419DBO6C1" |, 

/* 3 */ ( TEST3, length(TEST3), 1000000, 0, 0, "CDC76E5C9914FB92" 
"81A1C7E284D73E67F1809A48A497200E046D39CCC7112CDO" |, 
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/* 4 */ ( TESTA, length(TEST4), 10, 0, 0, "594847328451BDFA" 
"85056225462CC1D867D877FB388DFOCE35F25AB5562BFBB5" |, 
/* 5 */ ( "", 0, 0, 0x68, 5, "D6D3E02A31A84A8CAA9718ED6C2057BE" 
"09DB45E7823EB5079CE7A573A3760F95" }, 
/* 6 */ (| "Хх19", 1, 1, 0, 0, "68AA2E2EE5DFF96E3355E6C7EE373E3D" 
"бА4Е17Е75Е95180843709С0С9ВС3Е3р4" |, 
/* 7 х/ | TEST7 256, length(TEST7_256), 1, 0x60, 3, "77EC1DC8" 
"9C821FF2A1279089FA091B35B8CD960BCAF7DE01C6A7680756BEB972" }, 
/* 8 */ ( TEST8 256, length(TEST8 256), 1, 0, 0, "175ЕЕ69ВО2ВА" 
"9B58E2B0A5FD13819CEA573F3940A94F825128CF4209BEABBAE8" |), 
/* 9 */ | TEST9 256, length(TEST9 256), 1, OxAO, 3, "3E9AD646" 
"B8BBBAD2AC3C2CDC292E018BA5FD70B960CF1679777FCE708FDBO66E9" |), 
/* 10 */ 1 TEST10 256, length(TEST10 256), 1, 0, 0, "97DBCA7D" 
"FA46D62C8A422C941DD7E835B8AD3361763F7E9B2D95FAFODAGEl1CCBC" }, 
р, SHA256 SEED, { "83D28614D49C3ADCID6FCO5DB5F48037C0O56F8D2A4CE44" 
"EC6457DEA5DD797CD1", "99DBE3127EF2E93DD9322D6A07909EB33B6399" 
"5E529B3F954B8581621BB74D39", "8DA4BE295BB64661CA3C7EFD129A2F7" 
"25B33072DBDDE32385B9A87B9AF88EA76F", "40AF5D3F9716B040DF9408" 
"E31536B70FF906EC51B00447CA97D7DD97C12411F4" 
) }, 
{ "SHA384", SHA384, SHA384HashSize, 
{ 


/* 1 */ { TESTI, length(TEST1), 1, 0, 0, 
"CB00753F45A35E8BB5A03D699AC65007272C32ABOEDED163" 
"1A8B605AA43FF5BED8086072BA1E7CC2358BAECA134C825A7" }, 

/* 2 */ ( TEST2 2, length(TEST2 2), 1, 0, 0, 
"09330C33F71147E83D192FC782CD1B4753111B173B3B05D2" 
"2FA08086E3BOF712FCC7C71A557E2DB966C3E9FA91746039" ), 

/* 3 */ ( TEST3, length(TEST3), 1000000, 0, 0, 
"9D0E1809716474CB086E834E310A4A1CED149E9C0O0F24852" 
"7972CEC5704C2A5B07B8B3DC38ECC4EBAE97DDD87F3D8985" ), 

/* 4 */ ( TEST4, length(TEST4), 10, 0, 0, 
"2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A70" 
"BC84275B9COB3AB00D27A5CC3C2D224AA6B61A0D79FB4596" ), 

[Uy e op omm (у. 0 MOKED): 5; 
"8D17BE79E32B6718E07D8A603EB84BA0478F7FCFD1BB9399" 
"5F7D1149E09143ACIFFCFC56820E469F3878D957A15A3FE4" }, 

[*6 FP [ "Xxb9", I, l, 0, 0, 
"BC8089A19007C0B14195FA4ECC74094FEC64F01F90929282C" 
"2FB392881578208AD466828B1C6C283D2722CF0AD1AB6938" }, 

/* 7 */ ( TEST7 384, length(TEST7 384), 1, OxAO, 3, 
"D8CA43B38E12E7C42A7C9B810299FD6A770BEF30920F17532" 
"A898DE62C7A07E42 9344 9COB5FA70109F0783211CFC4BCE3" }, 

/* 8 */ { TEST8_384, length(TEST8_384), 1, 0, 0, 
"C9A68443A005812256B8EC76B0051 6F ODBB74FAB26D66591" 
"SF194B6FFBOE91EA9967566B58109CBC675CC208E4C823F7" |, 

/* 9 */ { TEST9 384, length(TEST9_384), 1, OxEO, 3, 
"5860E8DE91C21578BB4174D227898A98E0B45CAC760F0095" 
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"49495614DAEDCO775D92D11D9F8CE9B064EEAC8DAFC3A297" |, 


/* 10 */ { TEST10_384, length(TEST10_384), 1, 0, 0, 


"4F 440DB1E6EDD28 99FA335F09515AA025EE177A79F4B4AAF" 
"38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD20CFF1288C0" | 


May 2011 


}, SHA384 SEED, ( "CE44D7D63AE0C91482998CF662A51EC80BF6FC68661A3C" 


} 1, 


"57F87566112BD635A743EA904DEB7D7A42AC808CABE697F38F", 


"F9C6D2" 


"61881FEE41ACD39E67AA8D0BAD507C7363EB67E2B81F45759F9COFD7B503" 
"DF1AOB9E80BDE7BC333D75B804197D", "D96512D8C9F4A7A4967A366C01" 
"C6FD97384225B58343A88264847C1 8E4EF 8AB7AEE4 7 65FFBC3E30BD485D3" 
"638A01418F", "0CA76BD0813AF1509E170907A96005938BC985628290B2" 


"5FEF73CF6FAD68DDBA0AC8920C94E0541607B0915A7B4457F7" 


"SHA512", SHA512, SHA512HashSize, 


{ 


/* 1 */ ( TESTI, length(TEST1), 1, 0, 0, 


"DDAF35A193617ABACC417349AE20413112E6FA4E8 9A97EA2" 
"ОАЗЕЕЕЕ64855р39А2192992А274КС1А836ВАЗСЗ23АЗЕЕЕВВОІ" 
"454р4423643СЕ80Е2А9АС94ЕА54СА49Е" үр, 


/* 2 */ ( TEST2 2, length(TEST2_2), 1, 0, 0, 


"8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA]1" 
"729 9AEADB6889018501D28 9E4900F7E4331B99DEC4B5433A" 
"C7D329EEB6DD26545E96E55B874BE909" }, 


/* 3 */ ( TEST3, length(TEST3), 1000000, 0, 0, 


"E718483D0CE769644E2E42C7BC15B4638E1F98B13B204428" 
"5632A803AFA973EBDEOFF2448777EA60A4CBO432CE577C31B" 
"ЕВ009С5С2С49АА2ЕЯЕАрВ217Ар8СС09В" }, 


/* 4 */ ( TESTA, length(TEST4), 10, 0, 0, 


"89D05BA632C699C31231DEDA4FFC127D5A894DAD412COE024" 
"DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF33C765CB51" 
"0813A39CD5A84CAACAA64D3F3FB7BAE9" }, 


[* b еу ч Ч", 50, 0, O0xBO 5; 


"D4EE2 9A9E90985446B913CF1D1376C836F4BE2C1CF3CADA0" 
"72 0A6BF4857D88 6A7ECB3C4E4COFA8C7F95214E41DC1B0D2" 
"1B22A84CCO3BF8CE4845F34DD5BDBAD4" }, 


/* 6 */ ( "Ххро", 1, 1, 0, 0, 


"9992202938E882E73E20F6B69E68A0A7149090423D93C81B" 
"АВЗЕ21678р4АСЕЕЕЕ50Е4Е8САЕАРрА4С85А54ЕА8306826С4А" 
"р6Е74СЕСЕ9631ВЕА8А549В4АВЗЕВВА15" }, 


/* 7 */ (| TEST7 512, length(TEST7 512), 1, 0х80, 3, 


"ED8DC78E8B01B69750053DBB7A0A9EDAOFB9E9D292B1ED71" 
"SE80A7FE2 90A4E16664FD913E85854400C5AF05E6DAD31 6B" 
"735 9B43E64F8BEC3C1F237119986BBB6" }, 


/* 8 */ { TEST8 512, length(TEST8 512), 1, 0, 0, 


"CBOB67A4B8712CD73C9AABCOB199E9269B20844AFB75ACBD" 
"D1C153C9828924C3DDEDAAFE669C5FDDOBC66F630F677398" 
"8213bEB1B16F517ADODE4B2F0C95C90F8" }, 


/* 9 */ ( TEST9 512, length(TEST9 512), 1, 0x80, 3, 


"32BA76FC30EAA0208AEB50FFB5AF1864FDBF17902AA4DCOA6" 
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"82C61FCEA6D92B783267B21080301837F59DE79C6B337DB2" 
"526F8A0A510E5E53CAFED4355FE7C2F1" |, 

/* 10 */ 4 mESTIO 5123 length (TEST10_512), 1, 0, 0, 
"C665BEFB36DA189D78822D10528CBF3B12B3EEF726039909" 
"C1A16A270D48719377966B957A878E720584779A62825C18" 
"DA26415E49A7176A894E7510FD1451F5" | 

|, 5НА512 SEED, { "2ЕВВ1Е7Е00Ғ746ВА514ҒВС8С421Ғ36792ЕСОЕ11ҒЕ5ЕЕСЗ" 
"78E1AB0C07 9AA5F OF 66ALE3EDBAEB4F 998 4BE14437123038A452004A5576" 
"8C1FD8EED49E4A21BEDCD0", "25CBE5A4F2C7B1D7EF07011705D50C62C5" 
"000594243EAFD1241FC9F3D22B58184AE2FEE38E171CF8129E29459C9BC2" 
"EF 4 61AF5708887315F15419D8D17FE7949", "5B8B1F2687555CE2D7182B" 
"92F5C3F6C36547DA1C1 3DBB9EA4F7 3EA4CBBAF 8 9411527906D35B1B06C1B" 
"6A8007D05EC66DF0A406066829EAB618BDE3976515AAFC", "A46E36B007D" 
"19876CDB0B29AD074FE3C08CDD174D42169D6ABE5A1414B6E79707DF5877" 
"6A98091CF431854147BB6D3C66D43BFBC108FD715BDE6AA127C2BOE79F" 


I 


) 
у; 


/* Test arrays for HMAC. */ 
struct hmachash { 
const char *keyarray[5]; 
int keylength[5]; 
const char *dataarray[5]; 
int datalength[5]; 
const char *resultarray[5]; 
int resultlength[5]; 
} hmachashes[HMACTESTCOUNT] = ( 

[eq ey? Af 
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 
"\x0b\x0b\x0b\x0b\x0b" 

), { 20 }, í 
"\x48\x69\x20\x54\x68\x65\x72\x65" /* "Hi There" */ 

), { 8 }, { 
/* HMAC-SHA-1 */ 
"B617318655057264E28BCOB6FB378C8EF146BE00", 
/* HMAC-SHA-224 */ 
"896FB1128ABBDF196832107CD49DF33F47B4B1169912BA4F 53684B22", 
/* HMAC-SHA-256 */ 
"B0344C61D8DB38535CA8AFCEAFOBF12B881DC200C9833DA726E9376C2E32" 
"СЕЕ7" 2 
/* НМАС-5НА-384 */ 
"AFD03944D848 9562 6B0825F 4AB46907F15F IDADBE4101EC682AA034C7CEB" 
"C5 9CFAEA9EFA9076EDE7F4AF152E8B2FA9CB6", 
/* HMAC-SHA-512 */ 
"8 7AA7CDEASEF 61 9D4FF0B4241A1D6CB0237 9F4E2CE4EC2787AD0B30545E1" 
"7 CDEDAA8 33B7D6B8A702038B27 4EAFA3F4E4BE9D914EEB61F1702E696C20" 
"3A126854" 
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}, 1 SHAlHashSize, SHA224HashSize, SHA256HashSize, 
SHA384HashSize, SHA512HashSize } 


), 
(y us x А 
"\x4a\x65\x66\x65" /* 
), { 4 }, í 


"Jefe" */ 


May 2011 


"NxX77NX68NX61NxX74NX20NX64NX6£NX20NX79NX61NxX20NX77NX61NxX66eNx 74" 
"\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f" 
/* "what do ya want for nothing?" */ 


}, { 28 ), { 
/* HMAC-SHA-1 */ 
"EFFCDF6AESEB2FA2D2741 
/* HMAC-SHA-224 */ 


"A30E01098BC6DBBF45690F3A7 


/* HMAC-SHA-256 */ 


6D5F184DF9C259A7C79", 


E9E6DOF8BBEA2A39E6148008FD05l 


E44", 


"5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC" 


"3843", 
/* HMAC-SHA-384 */ 


"AF 45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B47E42EC3736322" 
"445E8E2240CA5E69E2C78B3239ECFAB21649", 


/* HMAC-SHA-512 */ 


"164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831FD610270CD7EA25" 


"05549758ВЕ75С05А994А6 
"38BCE737" 

), ( SHAlHashSize, SHA22 
SHA384HashSize, SHA512 


}, 
ҒАС 
{ 


D034F65F8FOE6FDCAEAB1A34D4A6B4I 


B63 61 


E070A" 


4HashSize, SHA256HashSize, 


HashSize } 


"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 


"\xaa\xaa\xaa\xaa\xaa" 
), ( 20 }, í 


"\ xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 
"\ xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 
"\ xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 


"\хаа\хаа\хаа\хаа\хаа" 


), ( 50}, í 
/* HMAC-SHA-1 */ 


"125D7342B9AC11CD91A3 9AF48AA17B4F63F175D3", 


/* HMAC-SHA-224 */ 


"7FB3CB3588C6C1F6FFA9694D7D6AD2 6493 65B0C1F65D69D1EC8333EA", 


/* HMAC-SHA-256 */ 


"773EA91E36800E46854DB8EBD09181A72959098B3EF8C122D9635514CED5" 


"BEEN, 
/* HMAC-SHA-384 */ 


"88062608р3Е6АРВ8АОАА2АСЕ014С8А86ЕОАА6350947АС9ЕЕВЕВ83ЕР4Е55966" 
"144B2A5AB39DC13814B94E3AB6E101A34F27", 


/* HMAC-SHA-512 */ 
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"FA73B0089D56A284EFBOF0756C890BE9B1B5DBDD8EE81A3655F83E33B227" 
"9D39BF3E848279A722C806B485A47E67C807B946A337BEE8942674278859" 
"E13292FB" 

}, ( SHAlHashSize, SHA224HashSize, SHA256HashSize, 
SHA384HashSize, SHA512HashSize } 


), 

{ /* 4 */ 4 
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0£" 
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" 

{ 25 }, { 
"\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 
"\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 
"\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 
"\xcd\xcd\xcd\xcd\xcd" 

}, { 50 }, { 
/* HMAC-SHA-1 */ 
"4C9007F4026250C6BC8414F9BF50C86C2D7235DA", 
/* HMAC-SHA-224 */ 
"6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFCO12DE7AFEC5A", 
/* HMAC-SHA-256 */ 
"82558A389A443COEA4CC819899F2083A85FOFAA3E578F8077A2E3FF46729" 
" 665B", 

/* HMAC-SHA-384 */ 

"3E8A69B7783C25851933AB6290AF 6CA77A9981480850009CC5577C6E1F57" 
"3BAE6801DD23CA4A7D679CCF8A386C674CFFB", 
/* HMAC-SHA-512 */ 
"B0BA465637458C6990E5A8C5F61DA4AF7E576D97FF94B872DE76F8050361E" 
"E3DBA91CA5C11AA25EBA4D679275CC5788063A5F19741120CAF2DE2ADEBEB" 
"10A298DD" 

}, ( SHAlHashSize, SHA224HashSize, SHA256HashSize, 
SHA384HashSize, SHA512HashSize } 


} 


` 


), 

[ 4*5. | 
"\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 
"\x0c\x0c\x0c\x0c\x0c" 

), { 20 1,1 
"Test With Truncation" 

), { 20}, í 
/* HMAC-SHA-1 */ 
"4С1А03424В55Е07ЕЕ7Е27ВЕ1", 
/* НМАС-5НА-224 */ 
"OR2AFA68A90C8D37C988BCDB9FCA6FA8", 
/* HMAC-SHA-256 */ 
"A3B6167473100EE06E0C796C2955552B", 
/* HMAC-SHA-384 */ 
"ЗАВЕЗ4С3503В2А23А46ЕЕС619ВАЕЕ897", 
/* НМАС-5НА-512 */ 
"415FAD6271580A531D4179BC891D87A6" 
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}, { 12, 16, 16, 16, 16 ) 

), 

ЦИР дан 25287! 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 

), { 80, 131 }, { 
"Test Using Larger Than Block-Size Key - Hash Key First" 
), ( 54 ), 1 
/* HMAC-SHA-1 */ 
"AAA4AE5E15272D00E95705637CE8A3B55EDA402112", 
/* HMAC-SHA-224 */ 
"95E9AO0DB962095ADAEBE9B2D6FODBCE2D499F112F2D2B7273FA6870E", 
/* HMAC-SHA-256 */ 
"60E431591EEO0B67FO0D8A26AACBF5B77F8E0BC6213728C5140546040FO0EE3" 
"7Е54 т 
/* НМАС-5НА-384 */ 
"AECE084485813E9088D2C63A041BC5BAAF9EF1012A2B588F3CD11F05033A" 
"CAC60C2bEF6ABAO030FE8296248DF163F44952", 
/* HMAC-SHA-512 */ 
"80B24263C7C1A3EBB71493C1DD7BE8B4 9B4 6D1F41B4AEEC1121B013783F8" 
"F3526B56D037E05F2598BDOFD2215D6A1E5295E64F73F63FO0AEC8B915A98" 
"5D786598" 
), { SHAlHashSize, SHA224HashSize, SHA256HashSize, 
SHA384HashSize, SHA512HashSize } 


), 

{ /* 7 */ { 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 
"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 

), { 80, 131 ), { 
"Test Using Larger Than Block-Size Key and " 
"Larger Than One Block-Size Data", 
"\х54\х68\х69\х73\х20\х69\х73\х20\х61\х20\х74\х65\х73\х74\х20" 
"\х75\х73\хб9\хбе\х67\х20\х61\х20\хбс\хб1\х72\х67\х65\х72\х20" 
"\х74\х68\х61\хбе\х20\х62\хбс\хб#\хб63\хбь\х2а\х73\хб9\х7а\хб5" 
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"\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67" 

"\x65\x72\x20\xK74\x68\x61\x6e\x20\x62\x6c\x6£\x63\x6b\x2d\x73" 

"\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b" 

"\x65\x79\x20\x6e\x65\x65\x64\x73\x20\xK74\x6£\x20\x62\x65\x20" 

"\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6£\x72\x65\x20\x62" 

"\хб5\хб9\хбе\х67\х20\х75\х73\х65\х64\х20\х62\х79\х20\х74\х68" 

"\х65\х20\х48\х44\х41\х43\х20\х61\хбс\хб67\хбЕ\х72\х69\х74\х68" 

"\x6d\x2e" 

/* "This is a test using a larger than block-size key and a " 
"larger than block-size data. The key needs to be hashed " 
"before being used by the HMAC algorithm." */ 

}, ( 73, 152 }, { 

/* HMAC-SHA-1 */ 

"E8bE99DOF45237D786D6BBAA7965C7808BBFF1A91", 

/* HMAC-SHA-224 */ 

"3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95C9F6F565D1", 

/* HMAC-SHA-256 */ 

"9BO09FFA71B942FCB27635FBCD5BOE944BFDC63644F0713938A7F51535C3A" 

"3562 т. 

/* HMAC-SHA-384 */ 

"6617178E941F020D351E2F254E8FD32C602420FEBOB8FB9ADCCEBB82461E" 

"99C5A678CC31E799176D3860E6110C46523E", 

/* HMAC-SHA-512 */ 

"E37B6A775DC8 7DBAA4DFA9F 9 6E5E3FFDDEBD71F8867289865DF5A32D20CD" 

"C944B6022CAC3C4982B1 0D5EEB55C3E4DE15134676FB6DE0446065C97440" 

"FA8C6A58" 

}, 1 SHAlHashSize, SHA224HashSize, SHA256HashSize, 

SHA384HashSize, SHA512HashSize } 


) 
у; 


/* Test arrays for НКРЕ. */ 
struct hkdfhash { 
SHAversion whichSha; 
int ikmlength; 
const char *ikmarray; 
int saltlength; 
const char *saltarray; 
int infolength; 
const char *infoarray; 
int prklength; 
const char *prkarray; 
int okmlength; 
const char *okmarray; 
} hkdfhashes [HKDFTESTCOUNT] = { 
{ /* RFC 5869 A.1. Test Case 1 */ 
SHA256, 
22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 
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"\ x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 

13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 

10, "\xf0O\xf1\xf2\xf3\xf4\xf5\xf6\x£7\xf8\xf9", 

32, "077709362C2E32DFODDC3F0DCA47BBA6390B6C73BB50F9C3122EC844A" 
"D7C2B3E5", 

42, "3CB25F25FAACD57A90434F64D0362F2A2D2DOA90CF1A5AA4C5DB02D56" 
"ECC4C5BF34007208D5B887185865" 


/* RFC 5869 A.2. Test Case 2 */ 

SHA256, 

80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 
"\x0e\x0£\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\xla\xl1lb" 
"\х1с\х1а\х1е\х1#\х20\х21\х22\х23\х24\х25\х26\х27\х28\х29" 
"\x2a\x2b\x2c\x2d\x2e\x2£\x30\x31\x32\x33\x34\x35\x36\x37" 
"\x38\x39\x3a\x3b\x3c\x3d\x3e\x3£\x40\x41\x42\x43\x44\x45" 
"\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4£", 

80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d" 
"\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" 
"\х7с\х7а\х7е\х7#\х80\х81\х82\х83\х84\х85\х86\х87\х88\х89" 
"\x8a\x8b\x8c\x8d\x8e\x8£\x90\x91\x92\x93\x94\x95\x96\x97" 
"\x98\x99\x9a\x9b\x9c\x9d\x9e\x9If\xa0\xal\xa2\xa3\xa4\xa5" 
"\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf", 

80, "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd" 
"\xbe\xbf\xc0\xcl1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb" 
"\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9" 
"\xda\xdb\xdc\xdd\xde\xdf\xe0\xel\xe2\xe3\xe4\xe5\xe6\xe7" 
"\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf£3\xf4\xf5" 
"\xf6\xf£7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 

32, "06A6B88C5853361A06104C9CEB35B45C" 
"ЕЕ760014904671014А193Е40С15ЕС244", 

82, "B11E398DC80327A1C8E7F78C596A4934" 
"4ЕО12ЕПрА24ЕЕАРр8А050СС4С19АЕА97С" 
"59045A99CAC7827271CBA1C65E590E09" 
"DA3275600C2F09B8367793A9ACA3DB71" 
"СС30С58179ЕС3Е87С14С01р5С1Е3434Е" 

" 1D87 " 


/* RFC 5869 А.З. Test Case 3 */ 

SHA256, 

22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 
"\ x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 

0, "n 

02 тл. 

32, "19EF24A32C717B167F33A91D6F648BDF" 
"96596776AFDB6377ACA34C1C293CCB04", 

42, "8DA4E775A563C18F715F802A063C5A31" 
"B8A11F5C5EE1879EC3454E5F3C738D2D" 
"9р201395ЕАА4В61А96С8" 
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), 

( /* ВЕС 5869 A.4. Test Case 4 х/ 

ЅНА1, 

11, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 

13, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c", 

10, "\xfO\xf1\xf2\xf3\xf4\xf5\xf6\x£f7\xf8\xf9", 

20, "9B6C18C432A7BF8FO0E71C8EB88F4B30BAA2BA243", 

42, “O85A01EFA1B10F36933068B56EFA5AD81" 
"A4F14B822F5B091568A9CDD4F155FDA2" 
"C22E422478D305F3F896" 


/* RFC 5869 A.5. Test Case 5 */ 

ЅНА1, 

80, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d" 
"\x0e\x0£\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\xla\xl1lb" 
"\х1с\х1а\х1е\х1#\х20\х21\х22\х23\х24\х25\х26\х27\х28\х29" 
"\x2a\x2b\x2c\x2d\x2e\x2£\x30\x31\x32\x33\x34\x35\x36\x37" 
"\x38\x39\x3a\x3b\x3c\x3d\x3e\x3£\x40\x41\x42\x43\x44\x45" 
"\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4£", 

80, "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D" 
"\хбЕ\х6Е\х70\х71\х72\х73\х74\х75\х76\х77\х78\х79\х7А\х7Вв" 
"\x7C\X7D\X7E\X7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89" 
"\ x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97" 
"\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5" 
"\ xA6\xXA7\xA8\xA9\xAA\xAB\xAC\xXAD\XAE\XAF", 

80, "\xBO\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD" 
"\ xBE\XBF\xCO\xXC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB" 
"\xCC\xCD\xCE\xCF\xDO\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9" 
"\ xDA\xDB\xDC\xDD\xDE\xDF\xE0O\xXE1\xE2\xE3\xE4\xE5\xE6\xE7" 
"\xE8\xE9\xEA\xXEB\xXEC\xED\xEE\xEF\xXFO\xXF1\xF2\xF3\xF4\xF5" 
"\ xF6\xXF7\xF8\xF9\xFA\XFB\XFC\XFD\XFE\XxFF", 

20, "8ADAE09A2A307059478D309B26C4115A224CFAF6", 

82, “OBD770A74D1160F7C9F12CD5912A06EB" 

"FF 6ADCAE8 99092191ЕЕ4305673ВА2ЕЕЕ" 
"8FA3F1A4E5AD7 9F3F334B3B202B2173C" 
"48 6FA37CE3D397ED034C7F9DFEBIL5C5E" 
"927336D0441FA4CA300E2CFF0DO900B52" 
"D3B4 " 


/* RFC 5869 А.6. Test Case 6 */ 

5НА1, 

22, "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 

0, "T, 

0, "mc 

20, "DA8C8A73C7FA77288EC6F5E7C297786AA0D32D01", 

42, "OAC1AF7002B3D761D1E55298DA9D0506" 
"B9AE52057220A306E07B6B87E8DF21DO0" 
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EA00033DE03984D34918" 


/* RFC 5869 A.7. Test Case 7. */ 

ЅНА1, 

22, "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c" 
"\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 

0, б, 

б; " ын 

20, “2ADCCADA18779E7C2077AD2EB1 9D3F3E731385DD", 

42, "2C91117204D745F3500D636A62F64F0A" 
"B3BAE548AA53D423B0D1F27EBBA6F5E5" 
"673A081D70CCE7ACFC48" 


у; 
/ж 


* Check the hash value against the expected string, expressed in hex 
ЫГ 

static const char hexdigits[ | = "0123456789АВСГЕР", 

int checkmatch(const unsigned char *hashvalue, 
const char *hexstr, int hashsize) 


{ 


ас) 
for (i = 0; i < hashsize; ++i) { 
if (*hexstr++ != hexdigits[ (hashvalue[i] >> 4) 6 OxF]) 
return 0; 
if (*hexstr++ != hexdigits[hashvalue[i] & OxF]) return 0; 


} 


return 1; 


} 
/ж 


х Print the string, converting non-printable characters to "." 
*/ 
void printstr(const char *str, int len) 
{ 
for ( ; len-- > 0; век) 
putchar (isprint ( (unsigned char)*str) ? *str : '.'); 


} 
/* 


х Print the string, converting all characters to hex "## ". 
ЖУ. 
void printxstr(const char *str, int len) 
{ 
char *sep = ""; 
for ( ; len-- > 0; 5144) | 
printf ("Ss%c%Sc", sep, hexdigits[(*str >> 4) 4 OxF], 
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sep = : 
1 
/* 


* Print a usage message. 
%/ 
void usage(const char *argv0) 
{ 
fprintf(stderr, 
"Usage:\n" 


"Common options: [-h hash] 


"Hash a string: n" 


HMAC-SHAs, and HKDF May 


І-м|-х|-61 [-H]\n" 


"\t%ss [-S expectedresult] -s hashstr [-k key] " 
"1-1 info -L okm-len]\n" 


"Hash a file:\n" 


"\t%ss [-S expectedresult] -f file [-k key] " 
"[-i info -L okm-len]\n" 
"Hash a file, ignoring whitespace: n" 
"\t%ss [-S expectedresult] -F file [-k key] " 
"1-1 info -L okm-len]\n" 
"Additional bits to add in: [-B bitcount -b bits]\n" 
"(If -k,-i&-L are used, run HKDF-SHA###.\n" 
" If -k is used, but not -i&-L, run HMAC-SHA###.\n" 
" Otherwise, run SHA###.)\n" 


"Standard tests:\n" 


"\t%s [-m | -d] 1-1 loopcount] [-t test#] [-e]\n" 
"\t\t[-r randomseed] [-R randomloop-count] " 


"[-р] [-Р]-Х]\п" 
"—hNthash to test: " 


"O|SHA1, 1|SHA224, 2|SHA256, 3|SHA384, 4|SHA512\n" 
"-m\tperform hmac standard tests Mn" 


"-k\tkey for hmac test n" 


"-dNtperform hkdf standard tests Vn" 
"—tNttest case to run, 1-10\n" 
"-]Nthow many times to run the test Vn" 


"—eNttest error returns\n" 


"-pNtdo not print results Mn" 

"-P\tdo not print PASSED/FAILED\n" 
"—XNtprint FAILED, but not PASSED\n" 
"-r\tseed for random test n" 

"-R\thow many times to run random test n" 


"-sNtstring to hash\n" 


"-SNtexpected result of hashed string, in hex\n" 
"-w\toutput hash in raw format Wn" 

"-x\toutput hash in hex format\n" 

"—-6Ntoutput hash in base64 format\n" 
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"-B\t# extra bits to add in after string or file input\n" 
"-b\textra bits to add (high order bits of #, 0% or Ox#)\n" 
"-HNtinput hashstr or randomseed is іп hex\n" 
, агау0, агау0, агау0, argv0); 
exit(1); 
} 


/* 
* Print the results and PASS/FAIL. 
Жу 
void printResult (11058 t *Message Digest, int hashsize, 
const char *hashname, const char *testtype, const char *testname, 
const char *resultarray, int printResults, int printPassFail) 


int i, k; 
if (printResults == PRINTTEXT) { 
printf ("\nhashsize=%d\n", hashsize) ; 
putchar('Nt'); 
for (i = 0; i « hashsize; 441) { 
putchar (hexdigits[(Message_Digest[i] >> 4) & OxF]); 
putchar (hexdigits[Message_Digest[i] & OxF]); 
putchar(' '); 
} 
putchar(’\n’); 


} else if (printResults == PRINTRAW) { 
fwrite(Message Digest, 1, hashsize, stdout); 
} else if (printResults == PRINTHEX) { 
for (i = 0; i < hashsize; ++i) { 


putchar (hexdigits[(Message_Digest[i] >> 4) & OxF]); 
putchar (hexdigits[Message_Digest[i] & OxF]); 
} 
putchar(’\n’); 
} else if (printResults == PRINTBASE64) { 
unsigned char b; 
char *sm = "ABCDEFGHIJKLMNOPORSTUVWXYZabcdefghijklmnopqrstuvwxyz" 
"0123456789+/"; 
for (i = 0; i < hashsize; i += 3) { 
putchar(sm[Message Digest[i] >> 2]); 
b = (Message_Digest[i] & 0x03) << 4; 
if (1+1 < hashsize) b |= Message Digest[i41] >> 4; 
putchar (sm[b]); 
if (1+1 < hashsize) { 
р = (Message Digest[i-*1] & 0х0Ғ) << 2; 
if (1+2 < hashsize) b |= Message Digest[i*2] >> 6; 
putchar(sm[b]); 
) else putchar('-'); 
if (1+2 < hashsize) putchar(sm[Message Digest[i-*2] & 0x3f]); 
else putchar('-'); 


Eastlake & Hansen Informational [Page 109] 


RFC 6234 SHAs, HMAC-SHAs, and HKDF May 2011 


} 
putchar(’\n’); 
} 


if (printResults && resultarray) { 
printf(" Should match: NnNt"); 
for (i = 0, k = 0; i < hashsize; itt, k += 2) { 
putchar (resultarray[k]); 
putchar (resultarray[k+1]); 
putchar(' '); 
} 
putchar(’\n’); 
} 


if (printPassFail && resultarray) { 


int ret = checkmatch(Message Digest, resultarray, hashsize); 
if ((printPassFail == PRINTPASSFAIL) || !ret) 
printf("$s 55 58: $sWMn", hashname, testtype, testname, 
ret ? "PASSED" : "FAILED"); 
} 

} 
/* 
* Exercise a hash series of functions. The input is the testarray, 


* repeated repeatcount times, followed by the extrabits. If the 
* result is known, it is in resultarray in uppercase hex. 
*4 
int hash(int testno, int loopno, int hashno, 
const char *testarray, int length, long repeatcount, 
int numberExtrabits, int extrabits, const unsigned char *keyarray, 
int keylen, const unsigned char *info, int infolen, int okmlen, 
const char *resultarray, int hashsize, int printResults, 
int printPassFail) 


USHAContext sha; 

HMACContext hmac; 

HKDFContext hkdf; 

lInt- err, 1) 

uint8 t Message Digest Buf[USHAMaxHashSize]; 
uint8 t *Message Digest - Message Digest Buf; 
char buf[20]; 


if (printResults == PRINTTEXT) { 
printf("\nTest 54: Iteration 84, Repeat %ld\n\t’", testnot+l, 
loopno, repeatcount) ; 
printstr(testarray, length); 
printf("’\n\t'"); 
printxstr(testarray, length); 
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printf("’\n"); 
printf (" Length-$d bytes (%d bits), ", length, length * 8); 
printf("ExtraBits за: $2.2xMn", numberExtrabits, extrabits); 


} 


if (info) Message Digest = malloc(okmlen); 


memset(&sha, 'N343', sizeof(sha)); /* force bad data into struct */ 


memset (&hmac, 'N343', sizeof(hmac)); 
memset (&hkdf, 'N343', sizeof(hkdf)); 


err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 
keyarray, keylen) 
keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 
keyarray, keylen) 
USHAReset(&sha, hashes[hashno].whichSha); 


if (err !- shaSuccess) 4 
fprintf(stderr, "hash(): $sReset Error %d.\n", 
info ? "hkdf" : keyarray ? "hmac" : "sha", err); 


return err; 


for (1 = 0; i < repeatcount; ++i) { 


err = info ? hkdfInput(&hkdf, (const uint8 t *)testarray, length) 


keyarray ? hmacInput(&hmac, (const uint8 t *) testarray, 


length) 
USHAInput(&sha, (const uint8 t *) testarray, 
length); 
if (err != shaSuccess) { 
fprintf(stderr, "hash(): $sInput Error %d.\n", 
info ? "hkdf" : keyarray ? "hmac" : "sha", err); 


return err; 


} 


if (numberExtrabits > 0) { 
err = info ? hkdfFinalBits(&hkdf, extrabits, numberExtrabits) 
keyarray ? hmacFinalBits(&hmac, (uint8 t) extrabits, 
numberExtrabits) 
USHAFinalBits(&sha, (uint8 t) extrabits, 
numberExtrabits); 


if (err != shaSuccess) { 
fprintf(stderr, "hash(): $sFinalBits Error %d.\n", 
info ? "hkdf" : keyarray ? "hmac" : "sha", err); 


return err; 


err = info ? hkdfResult(&hkdf, 0, info, infolen, 
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Message Digest, okmlen) 
keyarray ? hmacResult(&hmac, Message Digest) 
USHAResult(&sha, Message Digest); 


if (err != shaSuccess) { 
fprintf(stderr, "hash(): $s Result Error $d, could not compute " 
"message digest.\n", 
info ? "hkdf" : keyarray ? "hmac" : "sha", err); 


return err; 


} 


sprintf (buf, "за", ёеѕіпо+1); 

printResult (Message_Digest, info ? okmlen : hashsize, 
hashes [hashno].name, info ? "hkdf standard test" 
keyarray ? "hmac standard test" : "sha standard test", buf, 
resultarray, printResults, printPassFail); 


return err; 


Exercise an HKDF series. The input is the testarray, 
repeated repeatcount times, followed by the extrabits. If the 
result is known, it is in resultarray in uppercase hex. 


/ 


int hashHkdf (int testno, int loopno, int hashno, 


{ 


int printResults, int printPassFail) 


int err; 

unsigned char prk[USHAMaxHashSizet1]; 
uint8 t okm[255 * USHAMaxHashSizet1]; 
char buf[20]; 


if (printResults == PRINTTEXT) { 
printf("\nTest 84: Iteration %d\n\tSALT\t’", testno+1, loopno); 
printxstr(hkdfhashes[testno].saltarray, 
hkdfhashes[testno].saltlength); 
printf("'NnNtIKMNt'"); 
printxstr(hkdfhashes[testno].ikmarray, 
hkdfhashes[testno].ikmlength); 
printf("'NnNtINFONt'"); 
printxstr(hkdfhashes[testno].infoarray, 
hkdfhashes[testno].infolength); 
printf("’\n"); 
printf (" L-$d bytes\n", hkdfhashes[testno].okmlength) ; 
} 


/* Run hkdf() against the test vectors */ 
err = hkdf (hkdfhashes[testno] .whichSha, 
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(const uint8_t *) hkdfhashes[testno].saltarray, 
hkdfhashes[testno].saltlength, 
(const uint8 t *) hkdfhashes[testno].ikmarray, 
hkdfhashes[testno].ikmlength, 
(const uint8 t *) hkdfhashes[testno].infoarray, 
hkdfhashes[testno].infolength, okm, 
hkdfhashes[testno].okmlength); 
if (err != shaSuccess) { 
fprintf(stderr, "hashHkdf(): hkdf Error %d.\n", err); 
return err; 
} 
sprintf (buf, "hkdf за", testnotl); 
printResult (окт, hkdfhashes[testno].okmlength, 
USHAHashName (hkdfhashes[testno].whichSha), "hkdf standard test", 
buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 


/* Now run hkdfExtract() by itself against the test vectors */ 
/* to verify the intermediate results. */ 
err = hkdfExtract (hkdfhashes[testno].whichSha, 
(const uint8 t *) hkdfhashes[testno].saltarray, 
hkdfhashes[testno].saltlength, 
(const uint8 t *) hkdfhashes[testno].ikmarray, 
hkdfhashes[testno].ikmlength, prk); 
if (err !- shaSuccess) { 
fprintf(stderr, "hashHkdf(): hkdfExtract Error %d.\n", err); 
return err; 


} 

sprintf (buf, "hkdfExtract 54", testnotl); 

printResult (prk, USHAHashSize (hkdfhashes[testno].whichSha), 
USHAHashName (hkdfhashes[testno].whichSha), "hkdf standard test", 
buf, hkdfhashes[testno].prkarray, printResults, printPassFail); 


/* Now run hkdfExpand() by itself against the test vectors */ 
/* using the intermediate results from hkdfExtract. */ 
err = hkdfExpand(hkdfhashes[testno].whichSha, prk, 
USHAHashSize(hkdfhashes[testno].whichSha), 
(const uint8 t *)hkdfhashes[testno].infoarray, 
hkdfhashes[testno].infolength, okm, hkdfhashes[testno].okmlength); 
if (err != shaSuccess) { 
fprintf(stderr, "hashHkdf(): hkdfExpand Error %d.\n", err); 
return err; 


} 

sprintf (buf, "hkdfExpand 54", testnotl); 

printResult (okm, hkdfhashes[testno].okmlength, 
USHAHashName (hkdfhashes[testno].whichSha), "hkdf standard test", 
buf, hkdfhashes[testno].okmarray, printResults, printPassFail); 


return err; 
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/* 

* Exercise a hash series of functions. The input is a filename. 


* If the result is known, it is in resultarray in uppercase hex. 
х / 

int hashfile(int Һаѕһпо, const char *hashfilename, int bits, 
int bitcount, int skipSpaces, const unsigned char *keyarray, 
int keylen, const unsigned char *info, int infolen, int okmlen, 
const char *resultarray, int hashsize, 
int printResults, int printPassFail) 


USHAContext sha; 

HMACContext hmac; 

HKDFContext hkdf; 

int err, nread, c; 

unsigned char buf[4096]; 

uint8 t Message Digest Buf[USHAMaxHashSize]; 

uint8 t *Message Digest - Message Digest Buf; 

unsigned char cc; 

FILE *hashfp = (strcmp(hashfilename, "-") == 0) ? stdin 
fopen(hashfilename, "r"); 


if (!hashfp) { 
fprintf(stderr, "cannot open file ’%s’\n", hashfilename) ; 
return shaStateError; 


} 


if (info) Message Digest = malloc(okmlen) ; 


2011 


memset(&sha, 'N343', sizeof(sha)); /* force bad data into struct */ 


memset(&hmac, 'N343', sizeof(hmac)); 
memset (&hkdf, 'N343', sizeof(hkdf)); 
err = info ? hkdfReset(&hkdf, hashes[hashno].whichSha, 
keyarray, keylen) 
keyarray ? hmacReset(&hmac, hashes[hashno].whichSha, 
keyarray, keylen) 
USHAReset(&sha, hashes[hashno].whichSha); 


if (err != shaSuccess) { 
fprintf(stderr, "hashfile(): $sReset Error %d.\n", 
info ? "hkdf" : keyarray ? "hmac" : "sha", err); 


return err; 


} 


if (skipSpaces) 


while ((c = getc(hashfp)) != EOF) { 
if (!іѕѕрасе (с)) 1 
cc = (unsigned char)c; 


err = info ? hkdfInput(&hkdf, &cc, 1) 
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keyarray ? hmacInput(&hmac, &cc, 1) 
USHAInput(&sha, &cc, 1); 


if (err != shaSuccess) { 
fprintf(stderr, "hashfile(): %sInput Error %d.\n", 
info ? "hkdf" : keyarray ? "hmac" : "sha", err); 
if (hashfp != stdin) fclose(hashfp); 


return err; 


} 
else 
while ((nread = fread(buf, 1, sizeof(buf), hashfp)) > 0) { 
err = info ? hkdfInput (&hkdf, buf, nread) 
keyarray ? hmacInput(&hmac, buf, nread) 
USHAInput(&sha, buf, nread); 


if (err != shaSuccess) { 
fprintf(stderr, "hashfile(): $s Error %d.\n", 
info ? "hkdf" : keyarray ? "hmacInput" 
"shalnput", err); 
if (hashfp != stdin) fclose(hashfp); 


return err; 


if (bitcount » 0) 
err — info ? hkdfFinalBits(&hkdf, bits, bitcount) 
keyarray ? hmacFinalBits(&hmac, bits, bitcount) 
USHAFinalBits(&sha, bits, bitcount); 


if (err != shaSuccess) { 
fprintf(stderr, "hashfile(): $s Error %d.\n", 
info ? "hkdf" : keyarray ? "hmacFinalBits" 
"shaFinalBits", err); 
if (hashfp != stdin) fclose(hashfp) ; 


return err; 


err = info ? hkdfResult (&hkdf, 0, info, infolen, 
Message_Digest, okmlen) 
keyarray ? hmacResult(&hmac, Message Digest) 
USHAResult(&sha, Message Digest); 


if (err != shaSuccess) { 
fprintf(stderr, "hashfile(): $s Error %d.\n", 
info ? "hkdf" : keyarray ? "hmacResult" 
"shaResult", err); 
if (hashfp != stdin) fclose(hashfp); 


return err; 
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printResult (Message_Digest, info ? okmlen : hashsize, 
hashes[hashno].name, "file", hashfilename, resultarray, 
printResults, printPassFail); 


if (hashfp != stdin) fclose(hashfp); 
if (info) free(Message Digest); 
return err; 


Exercise a hash series of functions through multiple permutations. 
The input is an initial seed. That seed is replicated 3 times. 
For 1000 rounds, the previous three results are used as the input. 
This result is then checked, and used to seed the next cycle. 

* If the result is known, it is in resultarrays in uppercase hex. 

ху 
void randomtest (int hashno, const char *seed, int hashsize, 
const char **resultarrays, int randomcount, 
int printResults, int printPassFail) 


ж ж ж ж ж 


int і, 5); char buf[20]; 
unsigned char SEED[USHAMaxHashSize], MD[1003][USHAMaxHashSize]; 


/* INPUT: Seed - A random seed n bits long */ 

memcpy (SEED, seed, hashsize); 

if (printResults == PRINTTEXT) { 
printf("$s random test seed- "", hashes[hashno] .name) ; 
printxstr(seed, hashsize); 
printf("’\n"); 

} 


for (j = 0; j < randomcount; j++) { 

/* MDO MD1 MD2 Seed; */ 

memcpy (MD[0], SEED, hashsize); 

memcpy (Мр [1], SEED, hashsize); 

memcpy (MD[2], SEED, hashsize); 

for (i=3; i<1003; i++) 4 
/* Mi = MDi-3 || MDi-2 || MDi-1; */ 
USHAContext Mi; 
memset (&Mi, 'N343', sizeof(Mi)); /* force bad data into struct */ 
USHAReset(&Mi, hashes[hashno].whichSha); 
USHAInput(&Mi, MD[i-3], hashsize); 
USHAInput(&Mi, MD[i-2], hashsize); 
USHAInput(&Mi, MD[i-1], hashsize); 
/* MDi = SHA(Mi); */ 
USHAResult(&Mi, MD[i]); 
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/* MDj Seed - MDi; */ 


memcpy (SEED, MD[i-1], 


/* OUTPUT: MDj */ 


Sprintf(buf, "за", 3); 
printResult (SEED, hashsize, 


buf, 
() < RANDOMCOUNT) 


} 
/* 


* Look up a hash name. 
“у 
int findhash(const char *argvO0, 
{ 
int 14 
const char *names[HASHCOUNT] [2] 
{ тож, "shal" hy { "ыт, 
{ "ow. "sha384" 152 { nan. 
(i = 0; 
( (strcmp (opt, 
(scasecmp (opt, 
return i; 


i < HASHCOUNT; i++) 
names[i][0]) 
names [1] [1] 


fprintf(stderr, "$s: 
usage (argv0); 
return 0; 


} 
/ж 


hashsize); 


nu 


"sha224" 
"sha512" 


HMAC-SHAs, 


hashes[hashno].name, 
resultarrays ? resultarrays[jl 
? printPassFail 


), 


Unknown hash name: 


and HKDF 


0, 
0); 


printResults, 


const char *opt) 


May 2011 


"random test", 


{ "2 "впа256" ), 
} 
|| 
0)) 
'Ss'\n", argvO, opt); 


* Run some tests that should invoke errors. 


*/ 
void testErrors(int hashnolow, 
int printPassFail) 
{ 
USHAContext usha; 


int hashnohigh, 


uint8 t Message Digest[USHAMaxHashSize]; 


int hashno, err; 


for (hashno hashnolow; 
memset(&usha, 'N343', 
USHAReset (&usha, hashno); 
USHAResult (&usha, 
err USHAInput (&usha, 
if (printResults == PRINTTEXT) 
printf ("\nError $d. 
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Message_Digest) ; 
(const unsigned char *)"foo", 


Should be %d.\n", 


hashno <= hashnohigh; Һаѕһпо++) { 
sizeof (usha)); 


/* force bad data */ 


3); 


err, 
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int printResults, 


shaStateError); 
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} 


if ((printPassFail == PRINTPASSFAIL) | | 
((printPassFail == PRINTFAIL) && (err != shaStateError))) 
printf("$s se: %s\n", hashes[hashno].name, 
(err == shaStateError) ? "PASSED" : "FAILED"); 


err = USHAFinalBits(&usha, 0x80, 3); 


if (printResults == PRINTTEXT) 
printf ("\nError 54. Should be %d.\n", err, shaStateError); 
if ((printPassFail -- PRINTPASSFAIL) || 
((printPassFail == PRINTFAIL) && (err != shaStateError))) 
printf("$s se: %s\n", hashes[hashno].name, 
(err == shaStateError) ? "PASSED" : "FAILED"); 


err = USHAReset(0, hashes[hashno].whichSha); 


if (printResults == PRINTTEXT) 
printf("\nError $d. Should be %d.\n", err, shaNull); 
if ((printPassFail == PRINTPASSFAIL) || 
((printPassFail == PRINTFAIL) && (err != shaNull))) 
printf("$s usha null: %s\n", hashes[hashno].name, 
(err == shaNull) ? "PASSED" : "FAILED"); 


switch (hashno) { 
case SHA1: err = SHA1Reset (0); break; 


case SHA224: err - SHA224Reset(0); break; 
case SHA256: err - SHA256Reset(0); break; 
case SHA384: err - SHA384Reset(0); break; 
case SHA512: err - SHA512Reset(0); break; 
} 
if (printResults == PRINTTEXT) 
printf("\nError $d. Should be %d.\n", err, shaNull); 
if ((printPassFail == PRINTPASSFAIL) | | 
((printPassFail == PRINTFAIL) && (err != shaNull))) 
printf("$s sha null: %s\n", hashes[hashno].name, 
(err == shaNull) ? "PASSED" : "FAILED"); 


/* replace a hex string in place with its value */ 
int unhexStr(char *hexstr) 


{ 
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char *o = hexstr; 
int len 0, nibblel = 0, nibble2 = 0; 
if (!hexstr) return 0; 


for ( ; *hexstr; hexstrt++) { 
if (isalpha((int) (unsigned char) (*hexstr))) { 
nibblel = tolower((int) (unsigned char) (*hexstr)) - "а" + 10; 
) else if (isdigit((int) (unsigned char) (*hexstr))) { 
nibblel = *hexstr - "0"; 
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} else { 
printf("\nError: bad hex character '’%c’\n", *hexstr); 


} 
if (!*++hexstr) break; 


if (isalpha((int) (unsigned char) (*hexstr))) { 

nibble2 = tolower((int) (unsigned char) (*hexstr)) - "а" + 10; 
) else if (isdigit((int) (unsigned char) (*hexstr))) { 

nibble2 = *hexstr - "0"; 
) else ( 


printf("\nError: bad hex character '’%c’\n", *hexstr); 
} 
*o++ = (char) ((nibblel << 4) | nibble2); 
Іеп++; 
} 
return len; 


} 


int main(int argc, char **argv) 

{ 
int i, err; 
int loopno, loopnohigh = 1; 
int hashno, hashnolow = 0, hashnohigh = HASHCOUNT - 1; 
int testno, testnolow = 0, testnohigh; 
int ntestnohigh = 0; 
int printResults = PRINTTEXT; 
int printPassFail 1; 
int checkErrors = 
char *hashstr = 0; 
int hashlen = 0; 
const char *resultstr = 0; 
char *randomseedstr = 0; 
int runHmacTests = 0; 
int runHkdfTests = 0; 
char *hmacKey = 0; 
int hmaclen = 0; 
char *info = 0; 
int infolen = 0, okmlen = 0; 
int randomcount = RANDOMCOUNT; 
const char *hashfilename = 0; 
const char *hashFilename = 0; 
int extrabits = 0, numberExtrabits = 0; 
int strIsHex = 0; 


0; 


if ('A' != 0x41) { 
fprintf(stderr, "%s: these tests require ASCII\n", argv[0]); 
} 


while ((i = getopt(argc, argv, 
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"6b:B:def:F:h:i:Hk:l:L:mpPr:R:s:S:t:wxxX")) != -1) 
switch (i) { 
case 'b': extrabits = strtol(optarg, 0, 0); break; 
case 'B': numberExtrabits = atoi(optarg); break; 
case 'd': runHkdfTests = 1; break; 
case 'e': checkErrors = 1; break; 
case 'f': hashfilename = optarg; break; 
case 'F': hashFilename = optarg; break; 
case "р": hashnolow = hashnohigh = findhash(argv[0], optarg); 
break; 
case 'H': strIsHex = 1; break; 
case 'i': info = optarg; infolen = strlen(optarg); break; 
case ’k’: hmacKey = optarg; hmaclen = strlen(optarg); break; 
case "1": loopnohigh = atoi(optarg); break; 
case 'L': okmlen = strtol(optarg, 0, 0); break; 
case 'm': runHmacTests = 1; break; 
case 'P': printPassFail = 0; break; 
case 'p': printResults = PRINTNONE; break; 
case 'R': randomcount = atoi(optarg); break; 
case 'r': randomseedstr = optarg; break; 
case ’s’: hashstr = optarg; hashlen = strlen(hashstr); break; 
case "5": resultstr = optarg; break; 
case 't': testnolow = ntestnohigh = atoi(optarg) - 1; break; 


case 'w': printResults = PRINTRAW; break; 
case 'x': printResults = PRINTHEX; break; 
case 'X': printPassFail = 2; break; 

case '6': printResults = PRINTBASE64; break; 
default: usage(argv[0]); 

} 


if (strIsHex) { 
hashlen = unhexStr(hashstr) ; 
unhexStr (randomseedstr) ; 
hmaclen = unhexStr (hmacKey); 
infolen = unhexStr (info); 
} 
testnohigh = (ntestnohigh != 0) ? ntestnohigh: 
runHmacTests ? (HMACTESTCOUNT-1) 
runHkdfTests ? (HKDFTESTCOUNT-1) 
(TESTCOUNT-1); 
if ((testnolow « 0) || 


testnohigh »- (runHmacTests ? HMACTESTCOUNT : TESTCOUNT)) || 
hashnolow « 0) || (hashnohigh »- HASHCOUNT) || 

hashstr && (testnolow -- testnohigh)) || 

randomcount « 0) || 

resultstr && (!hashstr && !hashfilename && !hashFilename)) || 
(runHmacTests || hmacKey) && randomseedstr) || 

hashfilename && hashFilename) || 


( 
( 
( 
( 
( 
( 
( 
( 
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(info && ((infolen <= 0) || (okmlen <= 0))) || 
(info && !hmacKey) ) 
usage (argv[0]); 


/* 
* Perform SHA/HMAC tests 
*/ 
for (hashno = hashnolow; hashno <= hashnohigh; ++thashno) { 
if (printResults == PRINTTEXT) 
printf("Hash %s\n", hashes [hashno].name) ; 
err = shaSuccess; 
for (loopno = 1; (loopno <= loopnohigh) && (err == shaSuccess) ; 


L4 
++loopno) { 
if (hashstr) 
err = hash(0, loopno, hashno, hashstr, hashlen, 1, 
numberExtrabits, extrabits, (const unsigned char *)hmacKey, 
hmaclen, (const uint8_t *) info, infolen, okmlen, resultstr, 
hashes [hashno].hashsize, printResults, printPassFail); 


else if (randomseedstr) 
randomtest (hashno, randomseedstr, hashes[hashno].hashsize, 0, 
randomcount, printResults, printPassFail); 


else if (hashfilename) 
err = hashfile(hashno, hashfilename, extrabits, 
numberExtrabits, 0, 
(const unsigned char *)hmacKey, hmaclen, 
(const uint8 t *) info, infolen, okmlen, 
resultstr, hashes[hashno].hashsize, 
printResults, printPassFail); 


else if (hashFilename) 
err = hashfile(hashno, hashFilename, extrabits, 
numberExtrabits, 1, 
(const unsigned char *)hmacKey, hmaclen, 
(const uint8 t *) info, infolen, okmlen, 
resultstr, hashes[hashno].hashsize, 
printResults, printPassFail); 


else /* standard tests */ { 
for (testno - testnolow; 
(testno <= testnohigh) && (err == shaSuccess); ++testno) { 
if (runHmacTests) { 
err = hash(testno, loopno, hashno, 

hmachashes[testno].dataarray[hashno] ? 
hmachashes[testno].dataarray[hashno] 
hmachashes[testno].dataarray[1] ? 
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hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
17. 020 


and HKDF May 


.dataarray[1] 
.dataarray[0], 
.datalength[hashno] 
.datalength[hashno] 
.datalength[1] ? 
.datalength[1] 
.datalength[0], 


2 


(const unsigned char *) ( 
hmachashes[testno].keyarray[hashno] 
hmachashes[testno].keyarray[hashno] 
hmachashes[testno].keyarray[1] ? 
hmachashes[testno].keyarray[1] 
hmachashes[testno].keyarray[0]), 


hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
hmachashes[testno] 
0, 0, 0, 

hmachashes[testno] 
hmachashes[testno] 


.keylength[hashno] 
.keylength[hashno] 
.keylength[1] ? 
.keylength[1] 
.keylength[0], 


.resultarray[hashno], 
.resultlength[hashno], 


printResults, 
) else if (runHkdfTests) { 
err hashHkdf (testno, 
printResults, 

) else ( /* sha tests */ 
err hash (testno, 
hashes[hashno] 
hashes[hashno] 
hashes[hashno] 
hashes [hashno] 
hashes [hashno] 
0, 0, 0, 0, O, 
hashes[hashno] 
hashes[hashno] 
printResults, 


} 


loopno, 


loopno, 


printPassFail); 


hashno, 
printPassFail); 


hashno, 

.tests[testno] 
.tests[testno] 
.tests[testno] 
.tests[testno] 
.tests[testno] 


.testarray, 
.length, 
.repeatcount, 
.numberExtrabits, 
.extrabits, 


.tests[testno] 
.hashsize, 
printPassFail); 


.resultarray, 


if (!runHmacTests && 


randomtest (hashno, 


hashes [hashno] .hashsize, 
printResults, 


RANDOMCOUNT, 
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'runHkdfTests) { 

hashes [hashno].randomtest, 

hashes [hashno].randomresults, 
printPassFail); 
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/* Test some error returns */ 
if (checkErrors) { 
testErrors(hashnolow, hashnohigh, printResults, printPassFail); 


} 


return 0; 
Compare two strings, case independently. 
Equivalent to strcasecmp() found on some systems. 
/ 
t scasecmp(const char *51, const char *s2) 
for (;;) { 
char ul = tolower((int) (unsigned char) (*s1++)); 
char u2 = tolower((int) (unsigned char) (*s2++)); 
if (ul != u2) 
return ul - u2; 
if (01 == 707) 
return 0; 


Security Considerations 


This document is intended to provide convenient open source access by 
the Internet community to the United States of America Federal 
Information Processing Standard Secure Hash Algorithms (SHAs) [FIPS 
180-2], HMACs based thereon, and HKDF. No independent assertion of 
the security of these functions by the authors for any particular use 
is intended. 


See [RFC6194] for a discussion of SHA-1 Security Considerations. 
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Appendix: Changes from RFC 4634 
The following changes were made to RFC 4634 to produce this document: 


1. Add code for HKDF and brief text about HKDF with pointer to 
[RFC5869]. 


2. Fix numerous errata filed against [RFC4634] as included below. 
Note that in no case did the old code return an incorrect hash 
value. 


2.a. Correct some of the error return values which has erroneously 
been "shaNull" to the correct "shaInputTooLong" error. 


2.b. Update comments and variable names within the code for 
consistency and clarity and other editorial changes. 


2.c. The previous code for SHA-384 and SHA-512 would stop after 
2^93 bytes (2^96 bits). The fixed code handles up to 2^125 
bytes (2^128 bits). 


2.d. Add additional error checking including a run time check in 
the test driver to detect attempts to run the test driver 
after compilation using some other character set instead of 
[US-ASCII]. 


3. Update boilerplate, remove special license in [RFC4634] as new 
boilerplate mandates simplified BSD license. 


4. Replace MIT version of getopt with new code to satisfy IETF 
incoming and outgoing license restrictions. 


5. Add references to [RFC6194]. 


6. Other assorted editorial improvements. 
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